Cert mania! Authorize.net why have you forsaken us?

home | blog | Teh Internet | guest blog |rants | placeholder | political | projects | Gwen and Liam | Citadel patched | Tools | Scouts


- Careful Chrome users, this search box might be "Not secure"



Thanks for the heads up ryandjohnson (see tweet below)
ryandjohnson ‏@ryandjohnson  Feb 24
Ubuntu trusty-security ca-certificates update last night removes legacy 1024 Entrust root, breaking http://secure.authorize.net  @authorizenet

It seems a that a certain vendor of merchant accounts is behind the times.
If you are expecting an old 1024 bit cert to last forever,
you should be the vendor of last choice.
Here is how you can check:
curl -Iv https://secure.authorize.net
* About to connect() to secure.authorize.net port 443 (#0)
*   Trying 64.94.118.32... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
...

Same thing happens for curl -v https://secure.authorize.net/gateway/transact.dll
...


If your website had any useful info, that would be nice.
If you are developing against old cruft, you could fake it on your test servers (thanks to Neil Wilson):
https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/
If that goes away (summary):
sudo mkdir /usr/local/share/ca-certificates/cacert.org
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
sudo update-ca-certificates

If you have to dig through Mozilla certs to get one:
http://curl.haxx.se/docs/caextract.html

If you are [daring | stupid]:
Chuck this Entrust.netSecureServerCertificationAuthority.crt in /usr/local/share/ca-certificates/
Or fetch it yourself from the vendor.
I don't think you need to run update-ca-certificates - as Ubuntu docs say that location is trusted and you don't need to add anything to /etc/ca-certificates.conf line Please note: This cert gives up the ghost on 6/6/2015, and the ssl vendor has assured me that they will replace it before that point.
I am not holding my breath :-)
But, what are you going to do? Set up your own CA and get it in a browser?



[æ]