Archived only: you should no longer need to apply these changes. See second update.
We recently dealt with problems for CiviCRM clients with the Authorize.net payment processor after performing a minor upgrade on Ubuntu servers. The new ca-certiﬁcates package no longer carries some older root certiﬁcates, and among those is the CA certiﬁcate needed for Authorize.net. The result is that donors through CiviCRM see an error when they try to donate:
60: SSL certiﬁcate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certiﬁcate verify failed
Now, really, Authorize.net needs to update their stuff. This isn’t a CiviCRM problem: it’s that their certiﬁcate actually isn’t as secure as it should be. However, if you need to get donations in the meantime, you need to make sure your server recognizes the certiﬁcate. Luckily, we were able to retrieve the old certiﬁcate from a server that had yet to be upgraded. Here’s how to make it work for cURL:
First, create a folder for the extra certiﬁcate authority certiﬁcate:
sudo mkdir /usr/share/ca-certificates/extra
Next, put that certiﬁcate in the directory you just created:
sudo wget https://raw.githubusercontent.com/agh1/ca-certificate-for-authorize.net/master/Entrust.net_Secure_Server_CA.crt
Finally, reconﬁgure the ca-certiﬁcates package:
sudo dpkg-reconfigure ca-certificates
- Trust new certiﬁcates from certiﬁcate authorities? - Select Yes
- Certiﬁcates to activate - highlight the checkbox for extra/Entrust.net_Secure_Server_CA.crt, hit space to check the box, and tab down to OK and hit return
These notes and the ﬁle are up on GitHub for reference: https://github.com/agh1/ca-certiﬁcate-for-authorize.net
Again, this really isn’t a proper solution, and it’s having your server trust a certiﬁcate that isn’t really secure enough to be trustworthy, but until Authorize.net upgrades their certiﬁcate, it’s what’s necessary to work with them.
UPDATE: Authorize.net has announced as of March 23, 2015, that they are beginning the process of updating their certiﬁcates. Unfortunately, they say the date for updating the certiﬁcates for production servers is still TBD.
UPDATE: Authorize.net announced the update of certiﬁcates on their production servers. You should no longer need to follow these instructions, and you should remove your custom certiﬁcates.
Having this problem but feeling like it’s a bit much for you? That’s where Civi911 comes in. We can go in, upgrade this and test out your system, saving you the frustration of spending all day on issues like this. Read more at civi911.com or go straight to requesting support online.