Dealing with old certificates from

Archived only: you should no longer need to apply these changes.  See second update.

We recently dealt with problems for CiviCRM clients with the payment processor after performing a minor upgrade on Ubuntu servers.  The new ca-certificates package no longer carries some older root certificates, and among those is the CA certificate needed for  The result is that donors through CiviCRM see an error when they try to donate:

60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Now, really, needs to update their stuff.  This isn’t a CiviCRM problem: it’s that their certificate actually isn’t as secure as it should be.  However, if you need to get donations in the meantime, you need to make sure your server recognizes the certificate.  Luckily, we were able to retrieve the old certificate from a server that had yet to be upgraded.  Here’s how to make it work for cURL:

First, create a folder for the extra certificate authority certificate:

sudo mkdir /usr/share/ca-certificates/extra

Next, put that certificate in the directory you just created:

cd /usr/share/ca-certificates/extra

sudo wget

Finally, reconfigure the ca-certificates package:

sudo dpkg-reconfigure ca-certificates

  • Trust new certificates from certificate authorities? - Select Yes
  • Certificates to activate - highlight the checkbox for extra/Entrust.net_Secure_Server_CA.crt, hit space to check the box, and tab down to OK and hit return

These notes and the file are up on GitHub for reference:

Again, this really isn’t a proper solution, and it’s having your server trust a certificate that isn’t really secure enough to be trustworthy, but until upgrades their certificate, it’s what’s necessary to work with them.

UPDATE: has announced as of March 23, 2015, that they are beginning the process of updating their certificates.  Unfortunately, they say the date for updating the certificates for production servers is still TBD.

UPDATE: announced the update of certificates on their production servers.  You should no longer need to follow these instructions, and you should remove your custom certificates.

Having this problem but feeling like it’s a bit much for you?  That’s where Civi911 comes in.  We can go in, upgrade this and test out your system, saving you the frustration of spending all day on issues like this.  Read more at or go straight to requesting support online.