Archived only: you should no longer need to apply these changes. See second update.
We recently dealt with problems for CiviCRM clients with the Authorize.net payment processor after performing a minor upgrade on Ubuntu servers. The new ca-certificates package no longer carries some older root certificates, and among those is the CA certificate needed for Authorize.net. The result is that donors through CiviCRM see an error when they try to donate:
60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Now, really, Authorize.net needs to update their stuff. This isn’t a CiviCRM problem: it’s that their certificate actually isn’t as secure as it should be. However, if you need to get donations in the meantime, you need to make sure your server recognizes the certificate. Luckily, we were able to retrieve the old certificate from a server that had yet to be upgraded. Here’s how to make it work for cURL:
First, create a folder for the extra certificate authority certificate:
sudo mkdir /usr/share/ca-certificates/extra
Next, put that certificate in the directory you just created:
cd /usr/share/ca-certificates/extra
sudo wget https://raw.githubusercontent.com/agh1/ca-certificate-for-authorize.net/master/Entrust.net_Secure_Server_CA.crt
Finally, reconfigure the ca-certificates package:
sudo dpkg-reconfigure ca-certificates
- Trust new certificates from certificate authorities? – Select Yes
- Certificates to activate – highlight the checkbox for extra/Entrust.net_Secure_Server_CA.crt, hit space to check the box, and tab down to OK and hit return
These notes and the file are up on GitHub for reference: https://github.com/agh1/ca-certificate-for-authorize.net
Again, this really isn’t a proper solution, and it’s having your server trust a certificate that isn’t really secure enough to be trustworthy, but until Authorize.net upgrades their certificate, it’s what’s necessary to work with them.
UPDATE: Authorize.net has announced as of March 23, 2015, that they are beginning the process of updating their certificates. Unfortunately, they say the date for updating the certificates for production servers is still TBD.
UPDATE: Authorize.net announced the update of certificates on their production servers. You should no longer need to follow these instructions, and you should remove your custom certificates.
Having this problem but feeling like it’s a bit much for you? That’s where Civi911 comes in. We can go in, upgrade this and test out your system, saving you the frustration of spending all day on issues like this. Read more at civi911.com or go straight to requesting support online.