Payment Processing Error

[rs3515]

When attempting to complete a transaction in our test environment, we're getting the following error message:

Payment Processor Error message
: 60:error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

We have a cert set up for another environment on the same server, but not for this test environment.  Am I correct to assume this is due to not having an available cert for this environment?  Or might it be another issue?

[Donald Lobo]

What version are u using? I'm pretty sure we stopped supporting the certificate method in v1.5 or so.

You might want to google the error code and the payment processor. Thats a payment processor specific error code

lobo

[jimurl]

I am getting a very similar error:
Payment Processor Error message
: 77:error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none

Using drupal 5.7 CiviCRM 2.0.6

poking around on both the Civicrm fora and others, it appears that this is due to this:
CURLOPT_SSL_VERIFYPEER

being set to TRUE. While this variable prevents 'man-in-the-middle' attacks, it appears that it can can be set to FALSE. But, I can't find where to do that. I've looked in:
civicrm/packages/NET/curl.php line 270 and tried to tweak that (same result)

and also civicrm/Core/Payment/AuthorizeNet.php (line 230, also didn't alter the outcome).

Another, better, solution than setting VERIFYPEER to FALSE is to chmod 755 the ca-certificates.crt file mentioned above, but I don't have access to that.

So, either 1) I am barking up the wrong tree here- the error I'm seeing is due to something besides this VERIFYPEER setting or 2) I need to set it in a different spot?

Other complications: we are using Ubercart for some other, non-donation transactions. We have a certificate successfully installed, which ubercart seems to be able to use. UC appears to set this option to FALSE:
210  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

I am also using securepages to force ssl on the uc transaction pages. I had to uncheck this option:
"Switch back to http pages when there are no matches"
in order to get Civicrm -> SEttings -> Resource URLs : Force SSL setting to 'take' . I have also tried disabling the securepages altogether- still, my contribute page doesn't work.

Any suggestions would be welcome.

Jim

[Dave Greenberg]

It sounds like the processor you're using is Authorize.net - which is a community contributed plugin (from Ideal Solutions / Marshall Newrock). Assuming you've done as much as possible investigating via Authorize.net resources / tech support - you might want to ping Ideal Solutions to see if they have suggestions.

[Eileen]

This post is a bit old but if anyone else hits it the lines to turn off ssl peer checking have been added to the paypal processor so you can do the same pretty safely to authorize.net

Try adding this after line 99
//turning off the server and peer verification
        curl_setopt($submit, CURLOPT_SSL_VERIFYPEER, FALSE);// this one is probably enough
        curl_setopt($submit, CURLOPT_SSL_VERIFYHOST, FALSE);

(this is the bit where your machine verifies the certificate at the remote end correctly verifies their certificate - nothing to do with your own ssl certificate. It normally means the curl process can't find your store of trusted certficates)

http://www.phpbuilder.com/board/showthread.php?t=10328147

[arnj]

This post is a bit old but if anyone else hits it the lines to turn off ssl peer checking have been added to the paypal processor so you can do the same pretty safely to authorize.net

Try adding this after line 99
//turning off the server and peer verification
        curl_setopt($submit, CURLOPT_SSL_VERIFYPEER, FALSE);// this one is probably enough
        curl_setopt($submit, CURLOPT_SSL_VERIFYHOST, FALSE);

(this is the bit where your machine verifies the certificate at the remote end correctly verifies their certificate - nothing to do with your own ssl certificate. It normally means the curl process can't find your store of trusted certficates)

http://www.phpbuilder.com/board/showthread.php?t=10328147

Thank you! This did the trick for me after many keyboard imprints on my forehead. I know it might technically be a "security hole", but it's possibly a debatable point.

The cURL CA verifypeer process seems a little redundant, since the processor form already points to Authorize.net with so many other bits of classified info, and there seems to be an open question out there with verifypeer being all that reliable in the first place (I did many other non-Civi PHP-cURL-SSL tests that showed error-free verifypeer functionality, so I'm not getting why it bails within Civi).

[Eileen]

That surprises me. I had assumed the CURL error would be always encountered on a on given server as it relates to whether or not it can find the correct certificate chain for the remote site

[arnj]

That surprises me. I had assumed the CURL error would be always encountered on a on given server as it relates to whether or not it can find the correct certificate chain for the remote site

It's interesting, to be sure. I don't know why my cURL-php tests work outside of Civi with successful ca-bundle verification, but not from within. It seems that if PHP can see the ca-bundle then Joomla/Civi should as well.

I'm only moderately nervous about verifypeer being disabled. Does anyone else have thoughts on any potential security risk of turning it off?

[Eileen]

It seems to be turned off quite widely. It makes me wonder if there is a separate CURL implemention within civi / joomla with a different certificate path

[drupleg]

Hello, I was able to resolve this error on my system by installing:

Code: [Select]

apt-get install ca-certificates

[schiavone]

Disabling the certification check is not a great option.

It looks like the problem is that CURLOPT_SSLCERT variable in civicrm/Core/Payment/AuthorizeNet.php is not set properly. Step one would be to properly setting the environment variable in your OS. For Ubuntu you must permanently set CURL_CA_BUNDLE. For example in Ubuntu 12.04:

export CURL_CA_BUNDLE=/path/to/certbundle

But this does not fix the problem because the code in civicrm/Core/Payment/AuthorizeNet.php does not grab the environment variable. I don't have all the pieces put together yet but the answer lies in setting CURLOPT_SSLCERT properly using the OS's environment variable