Thanks Greg.

An additional note; since that file will not receive automated updates on Windows, it would not be a bad idea to have a recurring task (project management system, Outlook reminder for multiple people, etc.) to check and update that CA bundle perhaps annually. The reason is that you could miss out on the addition of new intermediate or trusted root CA's, and that could ultimately result in an outage talking to a payment or shipping gateway the store uses on a per-transaction basis.

For Windows you can update the paths to <paths root="c:\xxx" data="c:\xxx" cafile="c:\xxx\certs\ca-bundle.crt" /> replacing ca= with cafile= as David mentioned above

We used the ca-bundle.crt from Mozilla

Checking; which version of Windows?

ILoveHostasaurus What is the correct directive to use on a Windows installation?

<paths root="c:\xxx" data="c:\xxx" ca="c:\xxx\certs\openssl-1.0" />

If this is a site hosted by us please email me so we can take a look. If not, then I suspect the issue would be that the sites are using the Empresa legacy certificate bundle and not the operating system's certificate bundle. The Empresa certificate bundle is no longer maintained so new roots and intermediates of the past couple years would not be present, and could cause this. If that is the case, the fix for those sites would be to alter the Empresa config to use the CA File directive to point at the operating system certificate repository instead of the CA Dir directive to point at the Empresa bundle. On RHEL/CentOS the bundle file to use would be /etc/ssl/certs/ca-bundle.crt, and the 3.x config is just cafile=/etc/ssl/certs/ca-bundle.crt (with the previous cadir= commented out)

I still get the same error at this moment. Something I need to do? MvCall works fine on some servers (at least 3), but fails to Miva and one other.

The license manager CA cert was updated to replace the expired cert at 8:50a EST; it was expired for about three hours.

Appears to be related to an AddTrust Root CA expiring this morning.