Comm results: 60 SSL certificate problem: unable to get local issuer certificate

[Dianne]

Sigh. That's too bad.

As a workaround, you need to do several things:
a. Visit http://curl.haxx.se/docs/caextract.html and grab the cacert.pem file -- right-click the link and choose Download or Save As, to copy the file to your PC.
b. Upload that file to your /includes/modules/payment/ folder ... ie: /includes/modules/payment/cacert.pem
c. Make 2 changes in your authorizenet_aim.php file (from v1.5.4), on line 601:
i) remove the // from the very beginning of the line, and
ii) change /local/path/to/cacert.pem to /includes/modules/payment/cacert.pem

Code:

//   curl_setopt($ch, CURLOPT_CAINFO, '/local/path/to/cacert.pem'); // for offline testing, this file can be obtained from http://curl.haxx.se/docs/caextract.html ... should never be used in production!

ie it would become:

Code:

   curl_setopt($ch, CURLOPT_CAINFO, '/includes/modules/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!

Thank you, Dr. Byte. I was so hopeful that this would work. I very carefully followed each step of the instructions, yet I am still getting the same error message.

• I downloaded the cacert.pem file
• uploaded it to includes/modules/payment/
• made the two changes as shown below in blue

Is there something that I missed?

Here is the code (parial) from the authorizenet_aim.php file where I made the changes, with the specific line that I changed shown in blue.

// Send CURL communication
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_REFERER, ($request_type == 'SSL' ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ));
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15);
// curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // NOTE: Leave commented-out! or set to TRUE! This should NEVER be set to FALSE in production!!!!
curl_setopt($ch, CURLOPT_CAINFO, '/includes/modules/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!
if (CURL_PROXY_REQUIRED == 'True') {
$this->proxy_tunnel_flag = (defined('CURL_PROXY_TUNNEL_FLAG') && strtoupper(CURL_PROXY_TUNNEL_FLAG) == 'FALSE') ? false : true;
curl_setopt ($ch, CURLOPT_HTTPPROXYTUNNEL, $this->proxy_tunnel_flag);
curl_setopt ($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
curl_setopt ($ch, CURLOPT_PROXY, CURL_PROXY_SERVER_DETAILS);
}

The error message during checkout is the same bright red message when I click the final confirm button to checkout:

Communications Error - Please notify webmaster. - Your credit card could not be authorized for this reason. Please correct the information and try again or contact us for further assistance.

The same message is shown on this page as well (I did not make it a live link):

lcdergoDOTcom/store/zen-cart/extras/curltester.php?authnet=1

I was so sure I would be reporting a success. Is there something I overlooked?

I used the VISA Test credit card number for the checkout (4111...)

Thanks for anything you can share.

[Dianne]

Additional Note:

I just got the debug report. Here are the contents:

AuthorizenetAIM Alert Jan-23-2015 11:55:07

Jan-23-2015 11:55:07
=================================

Comm results: 77 error setting certificate verify locations:
CAfile: /includes/modules/payment/cacert.pem
CApath: none

Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
etc...etc...etc...


Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.027351
[namelookup_time] => 0.00304
[connect_time] => 0.124355
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received

I hope there is a clue in this debug report.

[Dianne]

Here is the debug report:

AuthorizenetAIM Alert Jan-23-2015 11:55:07
Jan-23-2015 11:55:07
=================================

Comm results: 77 error setting certificate verify locations:
CAfile: /includes/modules/payment/cacert.pem
CApath: none

Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
[x_delim_char] => |
etc...etc...etc...


Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.027351
[namelookup_time] => 0.00304
[connect_time] => 0.124355
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received

[lhungil]

Code:

curl_setopt($ch, CURLOPT_CAINFO, DIR_FS_CATALOG . DIR_WS_MODULES . 'payment/cacert.pem'); // this is a temporary workaround for this hosting company. Remove this line once the hosting provider has fixed the configuration of PHP / cURL on their server!

You will probably need to specify the entire path to the CA Certificate bundle. So either hard coded with the full path for your specific server or something like the above. Adjust as necessary for where you saved the CA Certificate bundle.

[Dianne]

Code:

curl_setopt($ch, CURLOPT_CAINFO, DIR_FS_CATALOG . DIR_WS_MODULES . 'payment/cacert.pem'); // this is a temporary workaround for this hosting company. Remove this line once the hosting provider has fixed the configuration of PHP / cURL on their server!

You will probably need to specify the entire path to the CA Certificate bundle. So either hard coded with the full path for your specific server or something like the above. Adjust as necessary for where you saved the CA Certificate bundle.

Okay, after much experimenting with getting the path correct, I finally got out of the error message for "Comm results: 77 error setting certificate verify locations:" in the debug emails. This line of text was always followed by a path that was clearly a mistake (repeating folder names twice, etc.).

For example:

Comm results: 77 error setting certificate verify locations:
CAfile: /services17/webpages/util/h/n/hnorman.site.aplus.net/public/store/zen-cart/includes/modules//includes/modules/payment/cacert.pem
CApath: none


The line of code that I changed is now:

curl_setopt($ch, CURLOPT_CAINFO, DIR_FS_CATALOG . DIR_WS_MODULES . '/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!

Anything more in the path shown above and I got the debug report with the error 77 message and for "CAfile:" a path showing double folder names (for example: /store/zen-cart/store/zen-cart/includes...).

With the above code, I am now getting this error message:

Comm results: 60 SSL certificate problem: unable to get local issuer certificate
Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
[x_delim_char] => |
etc...etc...etc...

Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.419434
[namelookup_time] => 0.036218
[connect_time] => 0.154293
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received:

Any clues in this that points me to a next step?

Thanks for your help with this.

[DrByte]

Comm results: 60 SSL certificate problem: unable to get local issuer certificate

It REALLY needs to be fixed by your hosting company.
How many months are you still obligated to this hosting company for?


There might still be a workaround, but ... Do you have a dedicated SSL certificate for your site? Do you have ALL the files for it? the .csr, .key, .crt, .pem and CABundle files?

[Dianne]

Thank you, Dr. Byte. If this final idea for a workaround doesn't work, moving is going to be a real consideration for the client.

I have contacted the hosting company to get a copy of the files. They have a lot of proprietary systems and there isn't the level of access or control that you have with a cPanel or PLESK.

Assuming I get the files, what is my next step?

I appreciate the help with this.

[DrByte]

Hmmm, the workaround I was thinking of probably won't.

But you still need those files in order to move the site to a new server anyway, as they're needed to enable the SSL certificate on that server.

[Dianne]

Hmmm, the workaround I was thinking of probably won't.

But you still need those files in order to move the site to a new server anyway, as they're needed to enable the SSL certificate on that server.

Thank you, Dr. Byte - and everyone else who added commentary - for all the help on this matter. I'm sorry it didn't work out, but there really is no solution when the server isn't configured correctly.

I spoke with the client and he has agreed that the only solution is to move the website. So, we will be doing that this week.

Just wanted to express my gratitude to the zen cart community, even those who read this thread but couldn't think of anything more to add. Your good karma is appreciated!

All the best to everyone...

Thank you!