# ca-certificates-20140927.3.17.2 & secure.authorize.net

## trosmus

Ever since the lastest update to ca-certificates,  SSL connections to secure.authorize.net

have been failing with "Verification failure: unable to get local issuer certificate".   

Any ideas?   This has broken a couple of colo websites that use secure.authorize.net

for CC payments.  OpenSSL shows... 

# openssl s_client -connect secure.authorize.net:443 -CApath /etc/ssl/certs

depth=2 C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority

verify error:num=20:unable to get local issuer certificate

verify return:0

CONNECTED(00000003)

---

Certificate chain

 0 s:/C=US/ST=California/L=Mountain View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource Corporation/businessCategory=Private Organization/serialNumber=2838921/CN=secure.authorize.net

   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E

 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E

   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority

 2 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority

   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFiDCCBHCgAwIBAgIETCDA3DANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC

VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0

Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW

KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp

Y2F0aW9uIEF1dGhvcml0eSAtIEwxRTAeFw0xMzAzMDYxNDU5MzVaFw0xNTA2MDcw

MjE5MDJaMIHaMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG

A1UEBxMNTW91bnRhaW4gVmlldzETMBEGCysGAQQBgjc8AgEDEwJVUzEZMBcGCysG

AQQBgjc8AgECEwhEZWxhd2FyZTEgMB4GA1UEChMXQ3liZXJzb3VyY2UgQ29ycG9y

YXRpb24xHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMS0wDgYDVQQFEwcy

ODM4OTIxMBsGA1UEAxMUc2VjdXJlLmF1dGhvcml6ZS5uZXQwggEiMA0GCSqGSIb3

DQEBAQUAA4IBDwAwggEKAoIBAQDR/7hYpvE1V+uSi7y4gTRHe5kpgr3dZ4FLErmN

vD39LTToZSeHRhxlHKiEGlN1IbdOVwm3QqdIm7ynu29Lffo4zy/Jh+gVKGRDswYC

nzEZjm1tfbKlAMVpAtW4x5zOegOpzP7966OV6kTwsvA18Hb5NQ3+1tFpJiT9NIhh

VBPjqZlweGFK80yIeUm1DgljFGdutTgYPczZvfpNU2haQ+8TCzvSjvYvQTGhYlvl

FuYAqmA7cI7h8DJ+N3UlW15vbuOEATcAMikFF+uHSZT559kNsSt8NGq3Y+7tHvAp

Hxr3FVKO3xrvZ0L6Ary3C9KvX4e3AXbmhXHXUn5lbX0QCJFzAgMBAAGjggF7MIIB

dzALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGUG

CCsGAQUFBwEBBFkwVzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5u

ZXQwMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuZW50cnVzdC5uZXQvbDFlLWNoYWlu

LmNlcjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xl

dmVsMWUuY3JsMEEGA1UdIAQ6MDgwNgYKYIZIAYb6bAoBAjAoMCYGCCsGAQUFBwIB

FhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHREEGDAWghRzZWN1cmUu

YXV0aG9yaXplLm5ldDAfBgNVHSMEGDAWgBRbQYqyxEPBvb/IVEFVneCWrf+5oTAd

BgNVHQ4EFgQUljvDckDuCgRJ5cXqLY/2MKTkgsMwCQYDVR0TBAIwADANBgkqhkiG

9w0BAQUFAAOCAQEAcXvGBPTaw3Ulg7Rz6u5MKdl0o6RtkIsDHwJhTeZYz9OBR8Dq

yvy52arljVTOUt9ZqJdUdfhfc/57Bgix5Zz897c+zVdLy/NVReEzdd4+PVTrL5jy

7RCOzlxUTBg0WJDjM6HmAKkpE4n/4Q81NEdVH5KSoZevK6QSOf443JXuXRWLpiCA

0rwyU6K8cL0ZSEcr5j4h9hJ5zTUGnJFK3gg67BeL6ftxqj+5X7fKV+TDlmH4RfeU

lMpcvN3aHUfogQvA/eXlnN4yOWaSiQBRHq0U8zP/b0VQk0NHp6+O0mFultt4O/kL

ZYsoMpMn3KQd2aYgXuyHIsV6Rz2PlvM7PeQ4Bw==

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Mountain View/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Cybersource Corporation/businessCategory=Private Organization/serialNumber=2838921/CN=secure.authorize.net

issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1E

---

No client certificate CA names sent

---

SSL handshake has read 4060 bytes and written 622 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : RC4-SHA

    Session-ID: 6DD2963E50361AB64EA07CCA3A1B540613EB098F7940D2E2788FCFC3D74376A1    Session-ID-ctx: 

    Master-Key: 1E7CE52A1CCE660E8580D3B8E86FCEC2A233633F69EB1C46FB0F8E01DEFCC53787606FDB7358FCE3457F7A250858C6D4

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1428000589

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

DONE

----------

## Tub

I recently noticed similar problems connecting to nic.changeip.com. Downgrading to app-misc/ca-certificates-20130906-r1 did not resolve my issue.

I've tried connecting from several computers with multiple applications to both secure.authorize.net and nic.changeip.com:

* gentoo, openssl on the command line: neither works

* Ubuntu 14.10 LTS, openssl on the command line: neither works

* gentoo, Firefox: authorize.net works, changeip.com doesn't

* Windows, Firefox: authorize.net works, changeip.com doesn't

* gentoo, chromium: both work

* Windows, Chrome: both work

* Windows, IE11: authorize.net works, changeip.com doesn't

So whatever happened, it's not gentoo specific. I'm not entirely sure our problems are related (except for happening within a few days of each other), since the error messages are different.

If changeip.com stopped working, I'd expect thousands of angry voices, yet I have still to find a single report..

Have you found a solution to your problems?

----------

## trosmus

Interesting, I did not have any problems with nic.changeip.com.

The problem I found with Authorize.net, just today, is explained in this URL...

http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Authorize-Net-Begins-Infrastructure-and-SHA-2-Certificate/ba-p/49615

Why it was not handled cleaner is a puzzle to me.   A temp fix involving adding the old SHA1 CA cert can be found here...

https://aghstrategies.com/content/SSL3_GET_SERVER_CERTIFICATE

For Gentoo, you would put this cert in /usr/local/share/ca-certificates and then run "update-ca-certificates".

----------

