Comm results: 60 SSL certificate problem: unable to get local issuer certificate

Thank you for reading this and helping to resolve the problem.

I am getting the error message shown below during checkout. Checkout works fine for check/money order and for PayPal. The problem is when checking out with a credit card (Authorize.net).

This is background information in anticipation of your basic questions:

• Zen Cart v1.5.3 – fresh install
• PHP Version: 5.3.28 (Zend: 2.3.0)
• Database: MySQL 5.5.38-log
• SSL certificate installed by web host aplus.net
• SSL enabled in config files
  
  • "https:" URL was used for BOTH the HTTP_SERVER and HTTPS_SERVER entries
  
  
• Credit Cards turned on via Admin > Configuration > Credit Cards (Visa and Mastercard)
• Authorize.net AIM Module Enabled and set-up with correct AP Login and Transaction Key
• Module in production mode
• Authorize.net account set to production (NOT test)
• Dr. Byte’s authorizenet_aim.php file uploaded
  
  • Deleted old file, uploaded this new file
  • Found at: http://www.zen-cart.com/showthread.p...64#post1263564
  
  
• Note: When that didn’t resolve the problem, the authorizenet_aim.php file from zen cart v1.5.4 was installed – still no resolution
• Checkout using VISA test card #4111111111111111

Error message during checkout:

Communications Error - Please notify webmaster. - Your credit card could not be authorized for this reason. Please correct the information and try again or contact us for further assistance.

I spoke with Authorize.net and they do not have any indication on their end that a transaction was even attempted, so no resolution on that end.

I then attempted to checkout again, this time with debug on.

The Debug Email shows the message below. I am willing to speak with the SSL certificate issuer or the web host if that’s where I need to go. However, I don’t know enough from what I see in the results (below) to know how to properly phrase a question. I want to avoid the old "it’s not on our end" circle of frustration.

My question is:

Given the information in the debug report, what is the problem that I am trying to resolve?

Also, if you can tell from the information that there is a step I should take, please describe what I need to do.

I am not a programmer so plain English is greatly appreciated.

Thank you for anything you can share to help me get this resolved.



Debug Email Contents:

Comm results: 60 SSL certificate problem: unable to get local issuer certificate

Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
...etc....etc....etc.

Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.268828
[namelookup_time] => 0.057513
[connect_time] => 0.127904
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received:

One thing; about the file you uploaded. I uploaded (replaced) two files, not one, and I got them from downloading and unzipping the entire (New) Zen-Cart, and copied the two files from that (they aren't the same file). I'm sure you probably know this, but also, you have to have the permissions set to write, and don't forget to put the permissions back. At least with my FTP program I have to. Hope this helps!

Quote:

---

Originally Posted by Johnnycopilot

One thing; about the file you uploaded. I uploaded (replaced) two files, not one, and I got them from downloading and unzipping the entire (New) Zen-Cart, and copied the two files from that (they aren't the same file). I'm sure you probably know this, but also, you have to have the permissions set to write, and don't forget to put the permissions back. At least with my FTP program I have to. Hope this helps!

---

Thanks for the suggestion. Yes, I downloaded zen-cart v1.5.4 and used the authorizenet_aim.php file.

I'd like to try your suggestion but I don't want to assume. What was the name of the second file you uploaded?

Dianne, the name of both files is the same, authorizenet_aim.php .. If you don't understand let me know and I'll walk you through uploading them (best I can, that is). Then, after upload, you have to 'install' them by simply hitting 'install' from Admin-Modules-Payment-Authorize.net (AIM). Then put your Authorize.net information in, so before you replace anything, make sure to copy your Login ID, Transaction Key, and MD5 Hash (If you have an MD5 Hash; if you don't you'll still have to blank-out that field because there is some writing in there). The 2 files are located here.

/includes/modules/payment/authorizenet_aim.php
/includes/languages/english/modules/payment/authorizenet_aim.php

Thank you! Unfortunately, uploading the two files did not resolve the problem.

Here's what I did...

I uninstalled the payment module in the admin panel and then deleted both files via FTP. I then uploaded the two new files from zen cart v1.5.4 and then reinstalled the module via the admin panel, making sure to use the correct settings (double-checking all entries against a screen shot).

So, thank you for the suggestion but it has not resolved the problem.

In the error message, what stands out for me is:

Comm results: 60 SSL certificate problem: unable to get local issuer certificate


I have no idea what this means or where to check...or even what I should be expecting to see if I knew where to check.

If you or anyone reading this can point me in the right direction, I would appreciate it. For example, if I were to speak with the hosting company (who also installed the SSL certificate), what would I be asking them? I don't understand the error message enough to formulate a question.

Thanks for anything you can share.

It's a server misconfiguration problem.
Your hosting company will need to fix it. It has to do with certificate authority data in the PHP/CURL configuration.
You don't need to be the expert on that. It's a server-admin thing. If they don't have a clue about it, then maybe start shopping for another host.

Use your browser to go to your_site.com/extras/curltester.php?authnet=1 and look at the page that it creates.

Then give that URL to your hosting company because they'll need it in order to see the error message (without having to create transactions on your website). They can use that same URL to test their fix too.

Quote:

---

Originally Posted by DrByte

It's a server misconfiguration problem. Your hosting company will need to fix it. It has to do with certificate authority data in the PHP/CURL configuration. You don't need to be the expert on that. It's a server-admin thing. If they don't have a clue about it, then maybe start shopping for another host. Use your browser to go to your_site.com/extras/curltester.php?authnet=1 and look at the page that it creates. Then give that URL to your hosting company because they'll need it in order to see the error message (without having to create transactions on your website). They can use that same URL to test their fix too.

---

Thank you, Dr. Byte! I just attempted to view that page myself before contacting the web host and I got this 404 error message: Not Found

The requested URL /extras/curltester.php was not found on this server. Is this a sign of another problem or is this what I should expect to see? I want to be sure before giving this to the web host as a means for trouble-shooting. Thanks!

Quote:

---

Originally Posted by Dianne

Thank you, Dr. Byte! I just attempted to view that page myself before contacting the web host and I got this 404 error message: Not Found

The requested URL /extras/curltester.php was not found on this server. Is this a sign of another problem or is this what I should expect to see? I want to be sure before giving this to the web host as a means for trouble-shooting. Thanks!

---

Use your FTP program to look at the /extras/ folder on your server. What are the names of the files in that folder?
Did someone delete the /extras/ folder from your server?
What version of Zen Cart are you really using?

I get the same error with a default install of ZC; however, can prevent the error when the .htaccess file in the extras folder is modified to temporarily remove -ExecCGI from the bottom of the .htaccess file. It was explained to me before why this removal works/presence doesn't work, having to do with server setup and typically occurring in a shared hosting scenario, but the specific details I forget and also been unable to quickly find the thread with the associated details.

So if the file(s) still exist, there is a temporary solution, though I am not sure how long the files should remain unprotected by removal of -ExecCGI and leave that suggestion to others here. The file(s) could be copied/relocated to another folder to be made known to the hosting provider with the change made to the .htaccess in that folder, to all be deleted/restored upon resolution, or specific instruction provided to the host on how to also overcome the issue, but certainly verify the conditions suggested above as the absence of the files owould certainly cause the error seen.

Quote:

---

Originally Posted by DrByte

Use your FTP program to look at the /extras/ folder on your server. What are the names of the files in that folder?
Did someone delete the /extras/ folder from your server?
What version of Zen Cart are you really using?

---

This is a fresh install of v1.5.3.

I used the authorizenet_aim.php file from v1.5.4 after it was suggested in this thread.

The website is on shared hosting.

The extras folder contains these files:

• .htaccess
• curltester.php
• htaccess-for-page-not-found-redirects.php
• index.html
• ipncheck.php

BTW, thanks, mc12345678, for the temporary fix idea. Fortunately, the circumstances are such that I don't have to turn to that...just yet. :smile:

Thanks to everyone for sticking with this to help me get it resolved.

Whoops! I did not properly type in the URL when visiting ...extras/curltester.php.

With the correct URL, I see the full diagnostic report. I had no idea this was available. What a great resource for trouble-shooting.

Thanks, Dr. Byte! I will work with the host to get this resolved.

Much appreciation to everyone who weighed in.

Quote:

---

Originally Posted by Dianne

Whoops! I did not properly type in the URL when visiting ...extras/curltester.php.

With the correct URL, I see the full diagnostic report. I had no idea this was available. What a great resource for trouble-shooting.

Thanks, Dr. Byte! I will work with the host to get this resolved.

Much appreciation to everyone who weighed in.

---

Tsk... After being so absolutely and wonderfully thorough??? I pulled out my 2% solution (which I really do need on a site I manage but otherwise have little control over). :( but all joking and ribbing aside, congratulations on obtaining "access" to the tool to solve the hosting related problem. Btw, ZC has sooo many useful tools it's almost ridiculous. Just depends on what is needed/wanted, but basically not only is it possible to control just about every aspect of presenting information, but it is just about possible to retrieve just about every piece of information being presented, etc...

Looks like I still need help (sigh). Here's what the hosting company has said...and btw, I did not choose this host, I simply upgraded the client's existing website, so no wet noodles for me for selecting them :smile:

As of now, we kindly advise you to use CURLOPT_CAINFO as a temporary workaround. We regret to inform you that we do not have an ETA yet but we are working on a resolution for the permanent fix of your issue.

They have since written again to say

The issue will be resolved with a new version of the application that will be released within 6 to 12 months. The date is subject to change and we will contact you via email when the final release occurs.

Short of changing web hosts, is this a viable solution, and if so, what steps do I take to implement it?

Thanks for anything you can share. Oh, and mc12345678, thanks for the chuckle in your post. :laugh:

Sigh. That's too bad.

As a workaround, you need to do several things:
a. Visit http://curl.haxx.se/docs/caextract.html and grab the cacert.pem file -- right-click the link and choose Download or Save As, to copy the file to your PC.
b. Upload that file to your /includes/modules/payment/ folder ... ie: /includes/modules/payment/cacert.pem
c. Make 2 changes in your authorizenet_aim.php file (from v1.5.4), on line 601:
i) remove the // from the very beginning of the line, and
ii) change /local/path/to/cacert.pem to /includes/modules/payment/cacert.pem

Code:

---

//  curl_setopt($ch, CURLOPT_CAINFO, '/local/path/to/cacert.pem'); // for offline testing, this file can be obtained from http://curl.haxx.se/docs/caextract.html ... should never be used in production!

---

ie it would become:

Code:

---

  curl_setopt($ch, CURLOPT_CAINFO, '/includes/modules/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!

---

Quote:

---

Originally Posted by DrByte

Sigh. That's too bad.

As a workaround, you need to do several things:
a. Visit http://curl.haxx.se/docs/caextract.html and grab the cacert.pem file -- right-click the link and choose Download or Save As, to copy the file to your PC.
b. Upload that file to your /includes/modules/payment/ folder ... ie: /includes/modules/payment/cacert.pem
c. Make 2 changes in your authorizenet_aim.php file (from v1.5.4), on line 601:
i) remove the // from the very beginning of the line, and
ii) change /local/path/to/cacert.pem to /includes/modules/payment/cacert.pem

Code:

---

//  curl_setopt($ch, CURLOPT_CAINFO, '/local/path/to/cacert.pem'); // for offline testing, this file can be obtained from http://curl.haxx.se/docs/caextract.html ... should never be used in production!

---

ie it would become:

Code:

---

  curl_setopt($ch, CURLOPT_CAINFO, '/includes/modules/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!

---

---

Thank you, Dr. Byte. I was so hopeful that this would work. I very carefully followed each step of the instructions, yet I am still getting the same error message.

• I downloaded the cacert.pem file
• uploaded it to includes/modules/payment/
• made the two changes as shown below in blue

Is there something that I missed?

Here is the code (parial) from the authorizenet_aim.php file where I made the changes, with the specific line that I changed shown in blue.

// Send CURL communication
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_REFERER, ($request_type == 'SSL' ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ));
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15);
// curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // NOTE: Leave commented-out! or set to TRUE! This should NEVER be set to FALSE in production!!!!
curl_setopt($ch, CURLOPT_CAINFO, '/includes/modules/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!
if (CURL_PROXY_REQUIRED == 'True') {
$this->proxy_tunnel_flag = (defined('CURL_PROXY_TUNNEL_FLAG') && strtoupper(CURL_PROXY_TUNNEL_FLAG) == 'FALSE') ? false : true;
curl_setopt ($ch, CURLOPT_HTTPPROXYTUNNEL, $this->proxy_tunnel_flag);
curl_setopt ($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
curl_setopt ($ch, CURLOPT_PROXY, CURL_PROXY_SERVER_DETAILS);
}

The error message during checkout is the same bright red message when I click the final confirm button to checkout:

Communications Error - Please notify webmaster. - Your credit card could not be authorized for this reason. Please correct the information and try again or contact us for further assistance.

The same message is shown on this page as well (I did not make it a live link):

lcdergoDOTcom/store/zen-cart/extras/curltester.php?authnet=1

I was so sure I would be reporting a success. Is there something I overlooked?

I used the VISA Test credit card number for the checkout (4111...)

Thanks for anything you can share.

Additional Note:

I just got the debug report. Here are the contents:

AuthorizenetAIM Alert Jan-23-2015 11:55:07

Jan-23-2015 11:55:07
=================================

Comm results: 77 error setting certificate verify locations:
CAfile: /includes/modules/payment/cacert.pem
CApath: none

Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
etc...etc...etc...


Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.027351
[namelookup_time] => 0.00304
[connect_time] => 0.124355
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received

I hope there is a clue in this debug report.

Here is the debug report:

AuthorizenetAIM Alert Jan-23-2015 11:55:07
Jan-23-2015 11:55:07
=================================

Comm results: 77 error setting certificate verify locations:
CAfile: /includes/modules/payment/cacert.pem
CApath: none

Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
[x_delim_char] => |
etc...etc...etc...


Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.027351
[namelookup_time] => 0.00304
[connect_time] => 0.124355
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received

Code:

---

curl_setopt($ch, CURLOPT_CAINFO, DIR_FS_CATALOG . DIR_WS_MODULES . 'payment/cacert.pem'); // this is a temporary workaround for this hosting company. Remove this line once the hosting provider has fixed the configuration of PHP / cURL on their server!

---

You will probably need to specify the entire path to the CA Certificate bundle. So either hard coded with the full path for your specific server or something like the above. Adjust as necessary for where you saved the CA Certificate bundle.

Quote:

---

Originally Posted by lhungil

Code:

---

curl_setopt($ch, CURLOPT_CAINFO, DIR_FS_CATALOG . DIR_WS_MODULES . 'payment/cacert.pem'); // this is a temporary workaround for this hosting company. Remove this line once the hosting provider has fixed the configuration of PHP / cURL on their server!

---

You will probably need to specify the entire path to the CA Certificate bundle. So either hard coded with the full path for your specific server or something like the above. Adjust as necessary for where you saved the CA Certificate bundle.

---

Okay, after much experimenting with getting the path correct, I finally got out of the error message for "Comm results: 77 error setting certificate verify locations:" in the debug emails. This line of text was always followed by a path that was clearly a mistake (repeating folder names twice, etc.).

For example:

Comm results: 77 error setting certificate verify locations:
CAfile: /services17/webpages/util/h/n/hnorman.site.aplus.net/public/store/zen-cart/includes/modules//includes/modules/payment/cacert.pem
CApath: none


The line of code that I changed is now:

curl_setopt($ch, CURLOPT_CAINFO, DIR_FS_CATALOG . DIR_WS_MODULES . '/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!

Anything more in the path shown above and I got the debug report with the error 77 message and for "CAfile:" a path showing double folder names (for example: /store/zen-cart/store/zen-cart/includes...).

With the above code, I am now getting this error message:

Comm results: 60 SSL certificate problem: unable to get local issuer certificate
Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
[x_delim_char] => |
etc...etc...etc...

Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.419434
[namelookup_time] => 0.036218
[connect_time] => 0.154293
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received:

Any clues in this that points me to a next step?

Thanks for your help with this.

Quote:

---

Originally Posted by Dianne

Comm results: 60 SSL certificate problem: unable to get local issuer certificate

---

It REALLY needs to be fixed by your hosting company.
How many months are you still obligated to this hosting company for?


There might still be a workaround, but ... Do you have a dedicated SSL certificate for your site? Do you have ALL the files for it? the .csr, .key, .crt, .pem and CABundle files?

Thank you, Dr. Byte. If this final idea for a workaround doesn't work, moving is going to be a real consideration for the client.

I have contacted the hosting company to get a copy of the files. They have a lot of proprietary systems and there isn't the level of access or control that you have with a cPanel or PLESK.

Assuming I get the files, what is my next step?

I appreciate the help with this.

Hmmm, the workaround I was thinking of probably won't.

But you still need those files in order to move the site to a new server anyway, as they're needed to enable the SSL certificate on that server.

Quote:

---

Originally Posted by DrByte

Hmmm, the workaround I was thinking of probably won't.

But you still need those files in order to move the site to a new server anyway, as they're needed to enable the SSL certificate on that server.

---

Thank you, Dr. Byte - and everyone else who added commentary - for all the help on this matter. I'm sorry it didn't work out, but there really is no solution when the server isn't configured correctly.

I spoke with the client and he has agreed that the only solution is to move the website. So, we will be doing that this week.

Just wanted to express my gratitude to the zen cart community, even those who read this thread but couldn't think of anything more to add. Your good karma is appreciated!

All the best to everyone...

Thank you!