Thanks for the heads up ryandjohnson (see tweet below)
ryandjohnson @ryandjohnson Feb 24 Ubuntu trusty-security ca-certificates update last night removes legacy 1024 Entrust root, breaking http://secure.authorize.net @authorizenet
It seems a that a certain vendor of merchant accounts is behind the times.
If you are expecting an old 1024 bit cert to last forever,
you should be the vendor of last choice.
Here is how you can check:
curl -Iv https://secure.authorize.net * About to connect() to secure.authorize.net port 443 (#0) * Trying 64.94.118.32... connected * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ... Same thing happens for curl -v https://secure.authorize.net/gateway/transact.dll ...
If your website had any useful info, that would be nice.
If you are developing against old cruft, you could fake it on your test servers (thanks to Neil Wilson):
https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/
If that goes away (summary):
sudo mkdir /usr/local/share/ca-certificates/cacert.org sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt sudo update-ca-certificates
If you have to dig through Mozilla certs to get one:
http://curl.haxx.se/docs/caextract.html
If you are [daring | stupid]:
Chuck this Entrust.netSecureServerCertificationAuthority.crt in /usr/local/share/ca-certificates/
Or fetch it yourself from the vendor.
I don't think you need to run update-ca-certificates - as Ubuntu docs say that location is trusted and you don't need to add anything to /etc/ca-certificates.conf line Please note: This cert gives up the ghost on 6/6/2015, and the ssl vendor has assured me that they will replace it before that point.
I am not holding my breath :-)
But, what are you going to do? Set up your own CA and get it in a browser?