I was bit by not having the right root CA certificates for Authorize.net's new Entrust-originated SHA2 certificate on secure.authorize.net. Using ruby net/https produced this OpenSSL error:
/usr/local/lib/ruby/1.8/net/http.rb:586:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
They made a blog post about it:
and claim that you should have:
- EnTrust G2: http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/
- EnTrust L1K: http://www.entrust.net/knowledge-base/technote.cfm?tn=8863
but in our testing we needed another root certificate. I'm not sure why, because Entrust does provide the G2 certificate as a root certificate (= self-signed). Maybe because Authorize.net is providing a non-self-signed (ie, not root) version of the G2 certificate in their chain?
So the extra certificate we needed is "Entrust Root Certification Authority": https://www.entrust.net/downloads/binary/entrust_ev_ca.cer (B31E B1B7 40E3 6C84 02DA DC37 D44D F5D4 6749 52F9)
which Entrust signed their G2 certificate with (and the L1K cert is signed with the G2). You'll notice that that is an SHA-1 certificate, but that doesn't matter for a root CA certificate.
If you use activemerchant, I think upgrading to the latest will take care of it, it bundles its own CA list If you can't upgrade, though, you can add certificates to the included bundle:
gems/active_utils-VERSION/lib/certs/cacert.pem
Hope this helps,
-Rich/@mendel
First thank you!
to follow up...
For me I'm stuck on an old version of Spree. My solution wasn't to update the Root certificates on the sever (which I thought it was) it was found in our comments about active-utils which include the CA bundles. I simply updated the gem source file with the latest file (https://github.com/Shopify/active_utils/blob/master/lib/certs/cacert.pem) being that it wasn't code specific mixing versions wasn't a huge concern. After I updated the content orders processed as usual.
Many thanks and hopefully this might help someone else - it's never fun or easy to debug live code while clients are barking about broken shopping carts!
Peace out-
Chris