authorize.net如何使用与不在众所周知的curl.haxx.se/ca/cacert.pem列表中的CA签名的证书? [英] How comes authorize.net uses a certificate that is signed with a CA that is not in the well known curl.haxx.se/ca/cacert.pem list?
问题描述
与authorize.net进行交易的URL为 https://secure.authorize.net/gateway/transact.dll .如果我们访问此URL并检查证书,则可以看到该证书已由中间证书签署,且证书的有效期限为CN = Entrust证书颁发机构-L1E,有效期至10décembre2019 17:25:43.但是,如果您访问Entrust网站 https://validev.entrust.net/,则会看到他们的中介具有相同CN的证书在2011年11月11日23:00:59之前一直有效-因此它是最新版本.这两个中间证书不共享相同的根证书.就我而言,出现了一个问题,因为众所周知的列表 http://curl.haxx.se/ca CURL在我的配置设置中使用的/cacert.pem 不包含证书先前版本的根证书.它仅包含新版本的根证书.当我在文件中手动添加旧版本的根证书时,问题已解决.但是,我想了解到底出了什么问题.列表中是否应该包含两个版本的根证书?应该将Authorize.net更新其证书,以使其与最新的CA捆绑软件匹配吗?
The URL for transactions with authorize.net is https://secure.authorize.net/gateway/transact.dll . If we visit this URL and inspect the certificate, we can see that it is signed by the intermediary certificate with CN = Entrust Certification Authority - L1E , valid to 10 décembre 2019 17:25:43. However, if you visit the Entrust site https://validev.entrust.net/, you see that their intermediary cert with the same CN is valid until 11 novembre 2021 23:00:59 - so it is a more recent version. These two intermediary certificates do not share the same root certificate. In my case, a problem occured because the well known list http://curl.haxx.se/ca/cacert.pem used by CURL in my configuration setting did not contain the root certificate for the previous version of the certificate. It contained only the root certificate for the new version. When I added the root certificate for the old version manually in the file, the problem was solved. However, I want to understand what exactly went wrong. Should have the list contained the root certificates for both versions? Should have Authorize.net updated its certificate so that it matches with the more up to date CA bundle?
推荐答案
Update: this should no longer be necessary because Authorize.net has updated its production servers' certificates.
您可能已经发现它突然停止工作,因为Ubuntu ca-certificates软件包在最近的更新中刚刚放弃了对它们的支持:
You may have found this to stop working all of a sudden because the Ubuntu ca-certificates package just dropped support for them in the most recent update:
前几天,我和我的同事在与客户的交流中遇到了麻烦-他们的捐款突然停止了工作.
My coworkers and I encountered this with a client just the other day--their donations suddenly stopped working.
真正的解决方案是Authorize.net需要更新其证书.但是,与此同时,您可以仅添加一个缺少的证书.我在此处整理了有关如何在Ubuntu中执行此操作的注释:
The real solution is that Authorize.net needs to update their certificate. However, in the meantime, you can just add the one missing certificate. I put together notes on how to do this in Ubuntu here:
https://aghstrategies.com/content/SSL3_GET_SERVER_CERTIFICATE
我还在 https上保存了一个根证书(尽管可能不安全). ://github.com/agh1/ca-certificate-for-authorize.net
再次,我希望这只是一个短期解决方案,直到他们获得新证书为止,但这将是一个很好的权宜之计.
Again, my hope is that this only needs to be a short-term solution until they get a new certificate, but this will be a good stop-gap.
这篇关于authorize.net如何使用与不在众所周知的curl.haxx.se/ca/cacert.pem列表中的CA签名的证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
