Comm results: 60 SSL certificate problem: unable to get local issuer certificate

[Dianne]

Whoops! I did not properly type in the URL when visiting ...extras/curltester.php.

With the correct URL, I see the full diagnostic report. I had no idea this was available. What a great resource for trouble-shooting.

Thanks, Dr. Byte! I will work with the host to get this resolved.

Much appreciation to everyone who weighed in.

[mc12345678]

Whoops! I did not properly type in the URL when visiting ...extras/curltester.php.

With the correct URL, I see the full diagnostic report. I had no idea this was available. What a great resource for trouble-shooting.

Thanks, Dr. Byte! I will work with the host to get this resolved.

Much appreciation to everyone who weighed in.

Tsk... After being so absolutely and wonderfully thorough??? I pulled out my 2% solution (which I really do need on a site I manage but otherwise have little control over). but all joking and ribbing aside, congratulations on obtaining "access" to the tool to solve the hosting related problem. Btw, ZC has sooo many useful tools it's almost ridiculous. Just depends on what is needed/wanted, but basically not only is it possible to control just about every aspect of presenting information, but it is just about possible to retrieve just about every piece of information being presented, etc...

[Dianne]

Looks like I still need help (sigh). Here's what the hosting company has said...and btw, I did not choose this host, I simply upgraded the client's existing website, so no wet noodles for me for selecting them

As of now, we kindly advise you to use CURLOPT_CAINFO as a temporary workaround. We regret to inform you that we do not have an ETA yet but we are working on a resolution for the permanent fix of your issue.

They have since written again to say

The issue will be resolved with a new version of the application that will be released within 6 to 12 months. The date is subject to change and we will contact you via email when the final release occurs.

Short of changing web hosts, is this a viable solution, and if so, what steps do I take to implement it?

Thanks for anything you can share. Oh, and mc12345678, thanks for the chuckle in your post.

[DrByte]

Sigh. That's too bad.

As a workaround, you need to do several things:
a. Visit http://curl.haxx.se/docs/caextract.html and grab the cacert.pem file -- right-click the link and choose Download or Save As, to copy the file to your PC.
b. Upload that file to your /includes/modules/payment/ folder ... ie: /includes/modules/payment/cacert.pem
c. Make 2 changes in your authorizenet_aim.php file (from v1.5.4), on line 601:
i) remove the // from the very beginning of the line, and
ii) change /local/path/to/cacert.pem to /includes/modules/payment/cacert.pem

Code:

//   curl_setopt($ch, CURLOPT_CAINFO, '/local/path/to/cacert.pem'); // for offline testing, this file can be obtained from http://curl.haxx.se/docs/caextract.html ... should never be used in production!

ie it would become:

Code:

   curl_setopt($ch, CURLOPT_CAINFO, '/includes/modules/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!

[Dianne]

Sigh. That's too bad.

As a workaround, you need to do several things:
a. Visit http://curl.haxx.se/docs/caextract.html and grab the cacert.pem file -- right-click the link and choose Download or Save As, to copy the file to your PC.
b. Upload that file to your /includes/modules/payment/ folder ... ie: /includes/modules/payment/cacert.pem
c. Make 2 changes in your authorizenet_aim.php file (from v1.5.4), on line 601:
i) remove the // from the very beginning of the line, and
ii) change /local/path/to/cacert.pem to /includes/modules/payment/cacert.pem

Code:

//   curl_setopt($ch, CURLOPT_CAINFO, '/local/path/to/cacert.pem'); // for offline testing, this file can be obtained from http://curl.haxx.se/docs/caextract.html ... should never be used in production!

ie it would become:

Code:

   curl_setopt($ch, CURLOPT_CAINFO, '/includes/modules/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!

Thank you, Dr. Byte. I was so hopeful that this would work. I very carefully followed each step of the instructions, yet I am still getting the same error message.

• I downloaded the cacert.pem file
• uploaded it to includes/modules/payment/
• made the two changes as shown below in blue

Is there something that I missed?

Here is the code (parial) from the authorizenet_aim.php file where I made the changes, with the specific line that I changed shown in blue.

// Send CURL communication
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_REFERER, ($request_type == 'SSL' ? HTTPS_SERVER . DIR_WS_HTTPS_CATALOG : HTTP_SERVER . DIR_WS_CATALOG ));
curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15);
// curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // NOTE: Leave commented-out! or set to TRUE! This should NEVER be set to FALSE in production!!!!
curl_setopt($ch, CURLOPT_CAINFO, '/includes/modules/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!
if (CURL_PROXY_REQUIRED == 'True') {
$this->proxy_tunnel_flag = (defined('CURL_PROXY_TUNNEL_FLAG') && strtoupper(CURL_PROXY_TUNNEL_FLAG) == 'FALSE') ? false : true;
curl_setopt ($ch, CURLOPT_HTTPPROXYTUNNEL, $this->proxy_tunnel_flag);
curl_setopt ($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
curl_setopt ($ch, CURLOPT_PROXY, CURL_PROXY_SERVER_DETAILS);
}

The error message during checkout is the same bright red message when I click the final confirm button to checkout:

Communications Error - Please notify webmaster. - Your credit card could not be authorized for this reason. Please correct the information and try again or contact us for further assistance.

The same message is shown on this page as well (I did not make it a live link):

lcdergoDOTcom/store/zen-cart/extras/curltester.php?authnet=1

I was so sure I would be reporting a success. Is there something I overlooked?

I used the VISA Test credit card number for the checkout (4111...)

Thanks for anything you can share.

[Dianne]

Additional Note:

I just got the debug report. Here are the contents:

AuthorizenetAIM Alert Jan-23-2015 11:55:07

Jan-23-2015 11:55:07
=================================

Comm results: 77 error setting certificate verify locations:
CAfile: /includes/modules/payment/cacert.pem
CApath: none

Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
etc...etc...etc...


Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.027351
[namelookup_time] => 0.00304
[connect_time] => 0.124355
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received

I hope there is a clue in this debug report.

[Dianne]

Here is the debug report:

AuthorizenetAIM Alert Jan-23-2015 11:55:07
Jan-23-2015 11:55:07
=================================

Comm results: 77 error setting certificate verify locations:
CAfile: /includes/modules/payment/cacert.pem
CApath: none

Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
[x_delim_char] => |
etc...etc...etc...


Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.027351
[namelookup_time] => 0.00304
[connect_time] => 0.124355
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received

[lhungil]

Code:

curl_setopt($ch, CURLOPT_CAINFO, DIR_FS_CATALOG . DIR_WS_MODULES . 'payment/cacert.pem'); // this is a temporary workaround for this hosting company. Remove this line once the hosting provider has fixed the configuration of PHP / cURL on their server!

You will probably need to specify the entire path to the CA Certificate bundle. So either hard coded with the full path for your specific server or something like the above. Adjust as necessary for where you saved the CA Certificate bundle.

[Dianne]

Code:

curl_setopt($ch, CURLOPT_CAINFO, DIR_FS_CATALOG . DIR_WS_MODULES . 'payment/cacert.pem'); // this is a temporary workaround for this hosting company. Remove this line once the hosting provider has fixed the configuration of PHP / cURL on their server!

You will probably need to specify the entire path to the CA Certificate bundle. So either hard coded with the full path for your specific server or something like the above. Adjust as necessary for where you saved the CA Certificate bundle.

Okay, after much experimenting with getting the path correct, I finally got out of the error message for "Comm results: 77 error setting certificate verify locations:" in the debug emails. This line of text was always followed by a path that was clearly a mistake (repeating folder names twice, etc.).

For example:

Comm results: 77 error setting certificate verify locations:
CAfile: /services17/webpages/util/h/n/hnorman.site.aplus.net/public/store/zen-cart/includes/modules//includes/modules/payment/cacert.pem
CApath: none


The line of code that I changed is now:

curl_setopt($ch, CURLOPT_CAINFO, DIR_FS_CATALOG . DIR_WS_MODULES . '/payment/cacert.pem'); // this is a temporary workaround for this hosting company. Normally this line should be removed!

Anything more in the path shown above and I got the debug report with the error 77 message and for "CAfile:" a path showing double folder names (for example: /store/zen-cart/store/zen-cart/includes...).

With the above code, I am now getting this error message:

Comm results: 60 SSL certificate problem: unable to get local issuer certificate
Response Code: .
Response Text:

Sending to Authorizenet: Array
(
[x_login] => *******
[x_tran_key] => *******
[x_relay_response] => FALSE
[x_delim_data] => TRUE
[x_delim_char] => |
etc...etc...etc...

Results Received back from Authorizenet: Array
(
[0] => Response from gateway
[1] =>
[Expected-MD5-Hash] => 9E54A1C80C4D4BCF5B65D4FC5D3D26E6
[HashMatchStatus] => FAIL
)


CURL communication info: Array
(
[url] => https://secure.authorize.net/gateway/transact.dll
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0.419434
[namelookup_time] => 0.036218
[connect_time] => 0.154293
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)

[redirect_url] =>
)


RAW data received:

Any clues in this that points me to a next step?

Thanks for your help with this.

[DrByte]

Comm results: 60 SSL certificate problem: unable to get local issuer certificate

It REALLY needs to be fixed by your hosting company.
How many months are you still obligated to this hosting company for?


There might still be a workaround, but ... Do you have a dedicated SSL certificate for your site? Do you have ALL the files for it? the .csr, .key, .crt, .pem and CABundle files?