Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

ca-certificates-20140927.3.17.2 & secure.authorize.net
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
trosmus
n00b
n00b


Joined: 01 Apr 2015
Posts: 3
Location: Seattle, WA
PostPosted: Thu Apr 02, 2015 6:52 pm    Post subject: ca-certificates-20140927.3.17.2 & secure.authorize.net Reply with quote
Ever since the lastest update to ca-certificates, SSL connections to secure.authorize.net
have been failing with "Verification failure: unable to get local issuer certificate".

Any ideas? This has broken a couple of colo websites that use secure.authorize.net
for CC payments. OpenSSL shows...

# openssl s_client -connect secure.authorize.net:443 -CApath /etc/ssl/certs

depth=2 C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource Corporation/businessCategory=Private Organization/serialNumber=2838921/CN=secure.authorize.net
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
2 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFiDCCBHCgAwIBAgIETCDA3DANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxRTAeFw0xMzAzMDYxNDU5MzVaFw0xNTA2MDcw
MjE5MDJaMIHaMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNTW91bnRhaW4gVmlldzETMBEGCysGAQQBgjc8AgEDEwJVUzEZMBcGCysG
AQQBgjc8AgECEwhEZWxhd2FyZTEgMB4GA1UEChMXQ3liZXJzb3VyY2UgQ29ycG9y
YXRpb24xHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMS0wDgYDVQQFEwcy
ODM4OTIxMBsGA1UEAxMUc2VjdXJlLmF1dGhvcml6ZS5uZXQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDR/7hYpvE1V+uSi7y4gTRHe5kpgr3dZ4FLErmN
vD39LTToZSeHRhxlHKiEGlN1IbdOVwm3QqdIm7ynu29Lffo4zy/Jh+gVKGRDswYC
nzEZjm1tfbKlAMVpAtW4x5zOegOpzP7966OV6kTwsvA18Hb5NQ3+1tFpJiT9NIhh
VBPjqZlweGFK80yIeUm1DgljFGdutTgYPczZvfpNU2haQ+8TCzvSjvYvQTGhYlvl
FuYAqmA7cI7h8DJ+N3UlW15vbuOEATcAMikFF+uHSZT559kNsSt8NGq3Y+7tHvAp
Hxr3FVKO3xrvZ0L6Ary3C9KvX4e3AXbmhXHXUn5lbX0QCJFzAgMBAAGjggF7MIIB
dzALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGUG
CCsGAQUFBwEBBFkwVzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5u
ZXQwMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuZW50cnVzdC5uZXQvbDFlLWNoYWlu
LmNlcjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xl
dmVsMWUuY3JsMEEGA1UdIAQ6MDgwNgYKYIZIAYb6bAoBAjAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHREEGDAWghRzZWN1cmUu
YXV0aG9yaXplLm5ldDAfBgNVHSMEGDAWgBRbQYqyxEPBvb/IVEFVneCWrf+5oTAd
BgNVHQ4EFgQUljvDckDuCgRJ5cXqLY/2MKTkgsMwCQYDVR0TBAIwADANBgkqhkiG
9w0BAQUFAAOCAQEAcXvGBPTaw3Ulg7Rz6u5MKdl0o6RtkIsDHwJhTeZYz9OBR8Dq
yvy52arljVTOUt9ZqJdUdfhfc/57Bgix5Zz897c+zVdLy/NVReEzdd4+PVTrL5jy
7RCOzlxUTBg0WJDjM6HmAKkpE4n/4Q81NEdVH5KSoZevK6QSOf443JXuXRWLpiCA
0rwyU6K8cL0ZSEcr5j4h9hJ5zTUGnJFK3gg67BeL6ftxqj+5X7fKV+TDlmH4RfeU
lMpcvN3aHUfogQvA/eXlnN4yOWaSiQBRHq0U8zP/b0VQk0NHp6+O0mFultt4O/kL
ZYsoMpMn3KQd2aYgXuyHIsV6Rz2PlvM7PeQ4Bw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource Corporation/businessCategory=Private Organization/serialNumber=2838921/CN=secure.authorize.net
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
---
No client certificate CA names sent
---
SSL handshake has read 4060 bytes and written 622 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-SHA
Session-ID: 6DD2963E50361AB64EA07CCA3A1B540613EB098F7940D2E2788FCFC3D74376A1 Session-ID-ctx:
Master-Key: 1E7CE52A1CCE660E8580D3B8E86FCEC2A233633F69EB1C46FB0F8E01DEFCC53787606FDB7358FCE3457F7A250858C6D4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1428000589
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
Back to top
View user's profile Send private message
Tub
n00b
n00b


Joined: 08 Feb 2005
Posts: 21
PostPosted: Wed Apr 08, 2015 8:47 am    Post subject: Reply with quote
I recently noticed similar problems connecting to nic.changeip.com. Downgrading to app-misc/ca-certificates-20130906-r1 did not resolve my issue.

I've tried connecting from several computers with multiple applications to both secure.authorize.net and nic.changeip.com:

* gentoo, openssl on the command line: neither works
* Ubuntu 14.10 LTS, openssl on the command line: neither works
* gentoo, Firefox: authorize.net works, changeip.com doesn't
* Windows, Firefox: authorize.net works, changeip.com doesn't
* gentoo, chromium: both work
* Windows, Chrome: both work
* Windows, IE11: authorize.net works, changeip.com doesn't

So whatever happened, it's not gentoo specific. I'm not entirely sure our problems are related (except for happening within a few days of each other), since the error messages are different.

If changeip.com stopped working, I'd expect thousands of angry voices, yet I have still to find a single report..


Have you found a solution to your problems?
_________________
m00
Back to top
View user's profile Send private message
trosmus
n00b
n00b


Joined: 01 Apr 2015
Posts: 3
Location: Seattle, WA
PostPosted: Wed Apr 08, 2015 5:56 pm    Post subject: Reply with quote
Interesting, I did not have any problems with nic.changeip.com.

The problem I found with Authorize.net, just today, is explained in this URL...

http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Authorize-Net-Begins-Infrastructure-and-SHA-2-Certificate/ba-p/49615

Why it was not handled cleaner is a puzzle to me. A temp fix involving adding the old SHA1 CA cert can be found here...

https://aghstrategies.com/content/SSL3_GET_SERVER_CERTIFICATE

For Gentoo, you would put this cert in /usr/local/share/ca-certificates and then run "update-ca-certificates".
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy