SSL error Omnipay Guzzle CI - verify that the CA cert is OK

Question

I'm using Omnipay (latest version) to perform some online payments.

I'm using SSL via Cloudflares fleixble SSL so there is no actual SSL certificate installed on the domain / server. It was all working perfectly fine until yesterday and I started getting the following error:

Fatal error: Uncaught exception 'Guzzle\Http\Exception\CurlException' with message '[curl] 60:
 SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [url] 
https://api.sandbox.ewaypayments.com/CreateAccessCode.json' in /home/verecsta/vendor/guzzle
/http/Guzzle/Http/Curl/CurlMulti.php:359 Stack trace: #0 /home/verecsta/vendor/guzzle/http/Guzzle
/Http/Curl/CurlMulti.php(292): Guzzle\Http\Curl\CurlMulti->isCurlException(Object(Guzzle
\Http\Message\EntityEnclosingRequest), Object(Guzzle\Http\Curl\CurlHandle), Array) #1 
/home/verecsta/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(257): Guzzle\Http
\Curl\CurlMulti->processResponse(Object(Guzzle\Http\Message\EntityEnclosingRequest), 
Object(Guzzle\Http\Curl\CurlHandle), Array) #2 /home/verecsta/vendor/guzzle/http/Guzzle/Http/Curl
/CurlMulti.php(240): Guzzle\Http\Curl\CurlMulti->processMessages() #3 /home/verecsta/vendor
/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(224): Guzzle\Http\Curl\CurlM in /home/verecsta/vendor
/guzzle/http/Guzzle/Http/Curl/CurlMulti.php on line 359

If I set $certificateAuthority = false; on Guzzle it works again. But this is not ideal.

I can't figure out why it has stopped working all of a sudden ? Could something of expired on my server? I have been googling the issue and come across this a few times:

"Basically it means your server doesn't have the up to date Certificate Authority bundles installed"

What does this mean exactly? Do I have to install an SSL certificate for this domain? Or is there something else that needs to be update on the server? (as it was working fine up until yesterday using clouldflares SSL so guessing something else needs to be updated?)

Also I thought Guzzle used it's own certificates $opts[CURLOPT_CAINFO] = __DIR__ . '/Resources/cacert.pem'; so again not sure why I'm getting this error.

Answer 1

This issue happened to me the other day. This was because of CentOS having an old certificate authority bundle.

Assuming you are running of CentOS try running the following commands through ssh. First back up your certificate incase it breaks.

    # cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/

Then just download the new certificate bundle.

    # curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

Once updated this should then fix your issue.

Answer 2

Also any idea why it would all of a sudden stop working? As it was running fine before

It looks like they got a new certificate recently. Take a look at notBefore date below.

(And don't worry about the error:num=20:unable to get local issuer certificate. I did not use -CAfile option).

$ openssl s_client -connect api.sandbox.ewaypayments.com:443 | openssl x509 -text -noout
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1363420 (0x14cddc)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
        Validity
            Not Before: Aug 24 05:15:18 2014 GMT
            Not After : Nov 26 05:47:38 2015 GMT
        Subject: serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe, OU=GT69801168, OU=See www.rapidssl.com/resources/cps (c)14, OU=Domain Control Validated - RapidSSL(R), CN=api.sandbox.ewaypayments.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:91:d0:2d:bb:c6:dc:94:e3:79:d1:6e:e2:cb:88:
                    9d:69:7a:24:34:8c:1a:91:94:22:3a:fd:0f:db:ef:
                    9f:54:63:20:1d:d1:3d:ef:35:4b:d6:83:82:bc:5c:
                    88:8c:c3:38:4d:e7:3a:38:ca:40:74:8c:96:a6:2b:
                    d3:62:fd:5f:1b:e0:24:76:db:79:dc:98:a2:a4:bd:
                    67:6d:1a:72:47:70:4c:cb:a1:d9:0d:4b:a2:63:b8:
                    76:dc:ed:1e:12:25:75:41:7b:7c:10:86:d7:95:25:
                    c5:e9:2b:4b:9e:f4:5f:a1:26:80:da:0d:87:9e:09:
                    4e:82:d3:52:60:ac:d4:63:4f:a6:eb:5e:f8:be:6e:
                    1d:b5:e8:c6:ac:2b:a2:2d:0e:5a:fa:31:a9:79:03:
                    c6:40:2e:d9:1d:86:cb:79:5b:99:dd:32:78:ef:ee:
                    89:95:84:ed:9b:0b:93:a4:61:dc:0b:65:5a:73:b4:
                    ca:5a:a7:f5:d0:8d:e0:4f:a9:ea:31:a2:26:b2:02:
                    40:72:73:27:e7:36:e5:61:e1:91:db:0c:dc:20:ad:
                    18:f4:67:f1:34:db:c2:3b:95:6d:35:2e:19:18:9e:
                    3f:fe:77:b0:1c:ac:a3:29:ad:36:74:12:ae:d5:51:
                    b8:ba:cf:38:6d:1f:8f:34:de:ba:c5:2b:f6:36:b2:
                    76:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:6B:69:3D:6A:18:42:4A:DD:8F:02:65:39:FD:35:24:86:78:91:16:30

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:api.sandbox.ewaypayments.com
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://rapidssl-crl.geotrust.com/crls/rapidssl.crl

            X509v3 Subject Key Identifier: 
                AD:B5:7E:1D:48:7A:43:43:C8:BC:52:12:CF:08:A6:A0:4B:02:34:6E
            X509v3 Basic Constraints: critical
                CA:FALSE
            Authority Information Access: 
                OCSP - URI:http://rapidssl-ocsp.geotrust.com
                CA Issuers - URI:http://rapidssl-aia.geotrust.com/rapidssl.crt

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: http://www.geotrust.com/resources/cps

    Signature Algorithm: sha1WithRSAEncryption
         73:f3:78:15:9b:e0:91:dd:b9:80:4c:95:f8:d2:2a:75:82:f5:
         7b:86:19:a9:c4:86:26:c1:e2:59:49:7d:dc:27:d7:d6:32:52:
         9c:c8:0a:c0:88:3d:9b:40:51:ed:3e:a5:77:c6:de:7d:a6:2d:
         b4:68:b8:bc:bc:14:3b:1e:1c:3f:df:1d:84:86:bf:55:75:13:
         af:52:ef:c9:03:db:c7:13:1c:51:aa:b1:f1:e3:7e:8a:39:ae:
         c6:3f:69:8a:59:43:9e:60:68:21:25:7b:5d:4b:0a:f9:87:e9:
         07:bb:63:c8:ac:d8:e8:95:e5:5c:ec:39:e6:bc:90:c0:0f:08:
         d9:d9:93:f6:f1:2d:f3:d0:16:a3:64:cc:96:54:d3:71:7e:33:
         06:b2:73:cd:b5:00:a6:e0:f8:cb:9b:5c:65:b6:f2:be:7f:46:
         d2:eb:ab:3a:58:52:fa:70:6e:ad:5e:e2:bc:2a:79:d4:37:b5:
         d1:93:ec:89:5a:51:ac:15:45:32:95:97:ec:5c:71:33:b6:01:
         f5:6b:54:06:ee:0e:d9:68:d2:1d:18:fa:a1:ac:26:18:45:47:
         14:54:2d:10:9b:73:1a:9c:81:95:4e:a8:ed:89:9c:45:c2:8c:
         b0:81:83:7b:9c:2e:79:de:2c:dd:f0:ac:b8:33:ab:b8:fc:ab:
         a6:88:e7:f7

Answer 3

Equifax certifies api.sandbox.ewaypayments.com. You know that because Equifax is the Issuer at level two (see the 2 i: below):

$ openssl s_client -connect api.sandbox.ewaypayments.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe/OU=GT69801168/
     OU=See www.rapidssl.com/.../CN=api.sandbox.ewaypayments.com
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
...

Go to GeoTrust Root Certificates, and download Root 1 - Equifax Secure Certificate Authority. Its default filename is Equifax_Secure_Certificate_Authority.pem.

Now, run s_client again. But this time, use the -CAfile option. Notice you finish with Verify return code: 0 (ok).

$ openssl s_client -connect api.sandbox.ewaypayments.com:443 -CAfile Equifax_Secure_Certificate_Authority.pem 
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = heE9O2tltnG/R8itCXJOsm8M-n1x0sDe, OU = GT69801168, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = api.sandbox.ewaypayments.com
verify return:1
---
...

So your job is to plug Equifax Secure Certificate Authority into Guzzle or Curl. Instead of the cacerts.pem file, you only need to use Equifax_Secure_Certificate_Authority.pem since that's the CA that certifies the site.

So I suppose you code would look similar to:

$opts[CURLOPT_CAINFO] = __DIR__ . '/Resources/Equifax_Secure_Certificate_Authority.pem';

If desired, you can cat the Equifax cert into the cacert.pem, but I would not recommend it:

$ cat Equifax_Secure_Certificate_Authority.pem >> Resources/cacert.pem

---

$ openssl s_client -connect api.sandbox.ewaypayments.com:443 -CAfile Equifax_Secure_Certificate_Authority.pem 
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = heE9O2tltnG/R8itCXJOsm8M-n1x0sDe, OU = GT69801168, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = api.sandbox.ewaypayments.com
verify return:1
---
Certificate chain
 0 s:/serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe/OU=GT69801168/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=api.sandbox.ewaypayments.com
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPjCCBCagAwIBAgIDFM3cMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTQwODI0MDUxNTE4WhcNMTUxMTI2MDU0NzM4WjCByzEpMCcGA1UEBRMgaGVF
OU8ydGx0bkcvUjhpdENYSk9zbThNLW4xeDBzRGUxEzARBgNVBAsTCkdUNjk4MDEx
NjgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMSUwIwYDVQQDExxhcGkuc2FuZGJveC5ld2F5cGF5bWVudHMuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkdAtu8bclON50W7iy4idaXok
NIwakZQiOv0P2++fVGMgHdE97zVL1oOCvFyIjMM4Tec6OMpAdIyWpivTYv1fG+Ak
dtt53JiipL1nbRpyR3BMy6HZDUuiY7h23O0eEiV1QXt8EIbXlSXF6StLnvRfoSaA
2g2HnglOgtNSYKzUY0+m6174vm4dtejGrCuiLQ5a+jGpeQPGQC7ZHYbLeVuZ3TJ4
7+6JlYTtmwuTpGHcC2Vac7TKWqf10I3gT6nqMaImsgJAcnMn5zblYeGR2wzcIK0Y
9GfxNNvCO5VtNS4ZGJ4//newHKyjKa02dBKu1VG4us84bR+PNN66xSv2NrJ2oQID
AQABo4IBtzCCAbMwHwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgNV
HREEIDAeghxhcGkuc2FuZGJveC5ld2F5cGF5bWVudHMuY29tMEMGA1UdHwQ8MDow
OKA2oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFw
aWRzc2wuY3JsMB0GA1UdDgQWBBSttX4dSHpDQ8i8UhLPCKagSwI0bjAMBgNVHRMB
Af8EAjAAMHgGCCsGAQUFBwEBBGwwajAtBggrBgEFBQcwAYYhaHR0cDovL3JhcGlk
c3NsLW9jc3AuZ2VvdHJ1c3QuY29tMDkGCCsGAQUFBzAChi1odHRwOi8vcmFwaWRz
c2wtYWlhLmdlb3RydXN0LmNvbS9yYXBpZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpg
hkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29t
L3Jlc291cmNlcy9jcHMwDQYJKoZIhvcNAQEFBQADggEBAHPzeBWb4JHduYBMlfjS
KnWC9XuGGanEhibB4llJfdwn19YyUpzICsCIPZtAUe0+pXfG3n2mLbRouLy8FDse
HD/fHYSGv1V1E69S78kD28cTHFGqsfHjfoo5rsY/aYpZQ55gaCEle11LCvmH6Qe7
Y8is2OiV5VzsOea8kMAPCNnZk/bxLfPQFqNkzJZU03F+Mwayc821AKbg+MubXGW2
8r5/RtLrqzpYUvpwbq1e4rwqedQ3tdGT7IlaUawVRTKVl+xccTO2AfVrVAbuDtlo
0h0Y+qGsJhhFRxRULRCbcxqcgZVOqO2JnEXCjLCBg3ucLnneLN3wrLgzq7j8q6aI
5/c=
-----END CERTIFICATE-----
subject=/serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe/OU=GT69801168/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=api.sandbox.ewaypayments.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4207 bytes and written 506 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: DD7775A6CE6031234C07C11FD8EB297BD3936C4B5C630217EA7658D86A89A89D
    Session-ID-ctx: 
    Master-Key: 28FE5406F41EAC68000D949D101EE3FED1753AFBB77E2853314D8436CA22D80FBA656976DF17E9C3A0DB3E9CEE4365B1
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6d 7c 92 08 26 2d 51 a7-93 e5 d9 f3 ca 35 e9 c3   m|..&-Q......5..
    0010 - ad 36 7b 52 bd 24 fc 06-f5 66 0f 15 f4 6c 90 a8   .6{R.$...f...l..
    0020 - 86 07 5b 90 b4 eb bd c7-63 73 0a 71 6c b7 17 eb   ..[.....cs.ql...
    0030 - 5a c5 21 5d 88 5e ff 74-76 55 0a fc 3d 5a 9e a6   Z.!].^.tvU..=Z..
    0040 - 20 70 b6 c9 f6 61 d6 87-f2 58 14 c4 ef 1a 52 9b    p...a...X....R.
    0050 - cc 11 0c c3 52 7c 8a 72-cf 6c 2e fb 26 ad 38 97   ....R|.r.l..&.8.
    0060 - 67 54 f3 70 b1 49 36 e9-34 c1 fb 51 5a 1c ee 7f   gT.p.I6.4..QZ...
    0070 - 22 61 73 dc 75 0e f1 ff-33 47 7a 1e 6a 92 8b b6   "as.u...3Gz.j...
    0080 - 20 4e 0a a8 bd 3a 53 04-56 af de 7d 65 a8 09 db    N...:S.V..}e...
    0090 - 7d 2d 9e 91 df cd f2 6b-f9 ba 57 ff 37 8c 09 0b   }-.....k..W.7...

    Start Time: 1409189687
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---