troubleshooting Question

Failure to verify host certificate with cURL call

Avatar of Steve Bink
Steve BinkFlag for United States of America asked on
SSL / HTTPSPHPE-Commerce
3 Comments1 Solution1827 ViewsLast Modified:
Some back-story: I was running a server with Ubuntu 10.04 and used `apt-get upgrade` to move to 12.04.  The upgrade was successful, but I had a custom ppa in sources (ondrej/PHP5 for PHP 5.5).  The custom ppa also upgraded Apache from 2.2 to 2.4, which was undesirable.  It ended up being a painful mess to revert Apache/PHP back to 2.2/5.3.10.  That is complete, with everything appearing to be running OK.

Concurrently, I have started seeing a failure in an e-commerce site on the server.  For credit card processing, the application uses PHP's cURL library to call Authorize.net's AIM gateway.  Some investigation found that cURL was returning a validation error on the peer certificate:
[07-Aug-2014 04:21:03 UTC] -ELOG:1- (blindsusa:ddpjj4a23o9hk8sh1ka10fb265) curl exec err=60:SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I tested with openssl s_client, and saw something very similar:
#> openssl s_client -connect secure.authorize.net:443 -verify 3
verify depth is 3
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority
verify error:num=27:certificate not trusted
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1E
verify return:1
depth=0 C = US, ST = California, L = Mountain View, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, O = Cybersource Corporation, businessCategory = Private Organization, serialNumber = 2838921 + CN = secure.authorize.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource Corporation/businessCategory=Private Organization/serialNumber=2838921/CN=secure.authorize.net
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
 2 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
Looking in /etc/ssl/certs, I can see what look to be the appropriate certificates.  Using -CApath or -CAfile on openssl showed no change.  I even tried downloading the current certs from Entrust's site, with no change.

Any ideas for how I can resolve this issue?  The short-term solution was to set CURL_SSL_VERIFYPEER to false, but I dislike.  How can I properly validate Authorize.net's certificate chain?
ASKER CERTIFIED SOLUTION
gr8gonzo
Consultant

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros