I was bit by not having the right root CA certificates for Authorize.net's new Entrust-originated SHA2 certificate on secure.authorize.net. Using ruby net/https produced this OpenSSL error:
/usr/local/lib/ruby/1.8/net/http.rb:586:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
They made a blog post about it:
and claim that you should have:
- EnTrust G2: http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/
- EnTrust L1K: http://www.entrust.net/knowledge-base/technote.cfm?tn=8863
but in our testing we needed another root certificate. I'm not sure why, because Entrust does provide the G2 certificate as a root certificate (= self-signed). Maybe because Authorize.net is providing a non-self-signed (ie, not root) version of the G2 certificate in their chain?
So the extra certificate we needed is "Entrust Root Certification Authority": https://www.entrust.net/downloads/binary/entrust_ev_ca.cer (B31E B1B7 40E3 6C84 02DA DC37 D44D F5D4 6749 52F9)
which Entrust signed their G2 certificate with (and the L1K cert is signed with the G2). You'll notice that that is an SHA-1 certificate, but that doesn't matter for a root CA certificate.
If you use activemerchant, I think upgrading to the latest will take care of it, it bundles its own CA list If you can't upgrade, though, you can add certificates to the included bundle:
gems/active_utils-VERSION/lib/certs/cacert.pem
Hope this helps,
-Rich/@mendel
don't worry about extensions, there's lots that are the same file format (.crt, .cer, .pem). I don't know how Ubuntu manages its root CA bundle but that format at the link is the usual format OpenSSL and NSS expect so you should be fine