SSL cert issue when using curl

sneakyimp

I have a transaction-processing function to charge my customers money. It uses curl to contact authorize.net. A recent server update broke it altering the certificate bundle or something. using curl from the command line results in a cert validation failure:

$ curl https://secure.authorize.net/gateway/transact.dll --cacert ./logfile
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I went to the haxx.se site and, reading it, I realized I've encountered this problem before when a server update changed the certificate bundle. I'd like to fix this once and for all in such a way that an updated cert bundle won't break it but I don't quite understand how to do it.

I ran the openssl command indicated on the haxx.se site on the url I'm trying to connect to:

openssl s_client -connect secure.authorize.net:443 | tee logfile

Here's the resulting file

$ cat logfile
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource Corporation/2.5.4.15=Private Organization/serialNumber=2838921/CN=secure.authorize.net
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
 2 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFiDCCBHCgAwIBAgIETCDA3DANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxRTAeFw0xMzAzMDYxNDU5MzVaFw0xNTA2MDcw
MjE5MDJaMIHaMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNTW91bnRhaW4gVmlldzETMBEGCysGAQQBgjc8AgEDEwJVUzEZMBcGCysG
AQQBgjc8AgECEwhEZWxhd2FyZTEgMB4GA1UEChMXQ3liZXJzb3VyY2UgQ29ycG9y
YXRpb24xHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMS0wDgYDVQQFEwcy
ODM4OTIxMBsGA1UEAxMUc2VjdXJlLmF1dGhvcml6ZS5uZXQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDR/7hYpvE1V+uSi7y4gTRHe5kpgr3dZ4FLErmN
vD39LTToZSeHRhxlHKiEGlN1IbdOVwm3QqdIm7ynu29Lffo4zy/Jh+gVKGRDswYC
nzEZjm1tfbKlAMVpAtW4x5zOegOpzP7966OV6kTwsvA18Hb5NQ3+1tFpJiT9NIhh
VBPjqZlweGFK80yIeUm1DgljFGdutTgYPczZvfpNU2haQ+8TCzvSjvYvQTGhYlvl
FuYAqmA7cI7h8DJ+N3UlW15vbuOEATcAMikFF+uHSZT559kNsSt8NGq3Y+7tHvAp
Hxr3FVKO3xrvZ0L6Ary3C9KvX4e3AXbmhXHXUn5lbX0QCJFzAgMBAAGjggF7MIIB
dzALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGUG
CCsGAQUFBwEBBFkwVzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5u
ZXQwMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuZW50cnVzdC5uZXQvbDFlLWNoYWlu
LmNlcjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xl
dmVsMWUuY3JsMEEGA1UdIAQ6MDgwNgYKYIZIAYb6bAoBAjAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHREEGDAWghRzZWN1cmUu
YXV0aG9yaXplLm5ldDAfBgNVHSMEGDAWgBRbQYqyxEPBvb/IVEFVneCWrf+5oTAd
BgNVHQ4EFgQUljvDckDuCgRJ5cXqLY/2MKTkgsMwCQYDVR0TBAIwADANBgkqhkiG
9w0BAQUFAAOCAQEAcXvGBPTaw3Ulg7Rz6u5MKdl0o6RtkIsDHwJhTeZYz9OBR8Dq
yvy52arljVTOUt9ZqJdUdfhfc/57Bgix5Zz897c+zVdLy/NVReEzdd4+PVTrL5jy
7RCOzlxUTBg0WJDjM6HmAKkpE4n/4Q81NEdVH5KSoZevK6QSOf443JXuXRWLpiCA
0rwyU6K8cL0ZSEcr5j4h9hJ5zTUGnJFK3gg67BeL6ftxqj+5X7fKV+TDlmH4RfeU
lMpcvN3aHUfogQvA/eXlnN4yOWaSiQBRHq0U8zP/b0VQk0NHp6+O0mFultt4O/kL
ZYsoMpMn3KQd2aYgXuyHIsV6Rz2PlvM7PeQ4Bw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource Corporation/2.5.4.15=Private Organization/serialNumber=2838921/CN=secure.authorize.net
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E
---
No client certificate CA names sent
---
SSL handshake has read 4060 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 6DD2963E5037B3774EA07CCA3A1B5707F90DDB76938CEE2E788FCFC3D77EA5E4
    Session-ID-ctx: 
    Master-Key: 083E2CD9E435E9CAFA53CC1A2DC66D4F6FBD96CE84298615BE7256163CC9389A2F56B0281E7DE05184DBB6C8ABA3B634
    Key-Arg   : None
    Start Time: 1428176904
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Unfortunately, I cannot use this file to remedy the curl ssl validation problem:

curl --cacert logfile https://secure.authorize.net/gateway/transact.dll
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

I have tried editing the log file to pare it down to just the cert section and it still doesn't work. Can someone help me create an appropriate CACERT file that I can use with curl stopped such that I can validate this url?

Jerl

Did you try to set up the one for the first time there?

sneakyimp

This problem is pretty ugly. I found a previous post where I tried to solve this problem but it simply hasn't worked. To summarize:
1) Visit the URL using firefox: https://secure.authorize.net/gateway/transact.dll
2) Right click page and choose 'view page info.' Dialogue appears. Click 'security tab' and then select 'view certificate'
3) click 'details' tab, in 'Certificate Hierarchy' panel, select "Entrust Certification Authority - L1E" which is the parent of secure.authorize.net then click "Export" button
4) Save export file, making sure the format is X.509 (PEM)

I have exported every a cert from this dialog for every item appearing in the "Certificate Hierarchy" panel both with and without its chain and not one of them seems to work with this command:

curl https://secure.authorize.net/gateway/transact.dll --cacert ./exported-cert.pem

In every single case, I get this error:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I was concerned that I was exporting things incorrectly or that I was incorrectly specifying the cert file, but then I finally managed to get the command to work using the old exported ca-bundle suggested by this page. That older CA cert is linked here and the easiest way to get it is probably to just download the raw file from this link. VERY IMPORTANT: The "old" cert bundle is not the head revision but rather an older one. The HEAD revision of that bundle file doesn't work. I downloaded that raw link to a file raw-old-ca-bundle.crt and finally got curl to fetch secure.authorize.net url without complaining:

$ curl https://secure.authorize.net/gateway/transact.dll --cacert ./raw-old-ca-bundle.crt
<HTML><BODY><H3>The following errors have occurred.</H3>(13) The merchant login ID or password is invalid or the account is inactive.<BR></BODY></HTML>

The complaints in that response are because my curl request didn't send any authentication credentials.

Interestingly, that haxx.se page says something about Mozilla removing 1024 bit RSA keys from their bundle. It is my guess that authorize.net's site is secured with an old cert (it expires soon - June 2015) but I'm not really sure how to find out whether it is this removal of 1024 bit keys that caused the issue.

I'm annoyed at how much trial-and-error has been required to get this thing working and also a bit shocked that authorize.net might be securing their site with a cert that is not recognized by Mozilla's latest cert bundle. Any thoughts or input on the matter or how to reckon with this would be much appreciated.

sneakyimp

Another thing that puzzles me about this is why Firefox on my Ubuntu machine will validate the cert at https://secure.authorize.net but when I extract the relevant X.509 certs using firefox (as described above), that curl will NOT validate the domain. I've been trying to get this script working which is supposed to extract PEM certs from one's firefox db, but it dies with an error:

$ ./firefox-db2pem.sh
ls: cannot access /home/sneakyimp/.mozilla/firefox/*default: No such file or directory
./firefox-db2pem.sh: 46: ./firefox-db2pem.sh: certutil: not found