In my development environment I am building code that will connect with an API that only accepts TLS 1.2 (Authorize.net Ruby SDK).
#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)>
My colleage can run the code in his local environment and not get this error. Does it depend on ssl? I'm using openssl 1.1.1h he is using libressl.
Update:
The output of:
─$ openssl s_client -showcerts -connect apitest.authorize.net:443
is:
CONNECTED(00000005) depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K verify return:1 depth=0 C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net verify return:1
--- Certificate chain 0 s:C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority
- L1K
-----BEGIN CERTIFICATE----- MIIGxzCCBa+gAwIBAgIQfjbSKF+9lNAAAAAAUP5NeTANBgkqhkiG9w0BAQsFADCB ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y MDAyMDUyMDQ0MDhaFw0yMTAzMTUyMTE0MDhaMGoxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtGb3N0ZXIgQ2l0eTEWMBQGA1UEChMN QXV0aG9yaXplLk5ldDEYMBYGA1UEAwwPKi5hdXRob3JpemUubmV0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnBMtpwsQcEI3Pd7MKBPs/bhVye/yYNnL Pp3zrJloBy217QtpZpbXj9c1Sjt7xMXv9RotOt9aSbOsAc7CGkKPuwUIcdVbQg/8 gOlWxuT2zF+gek3NzmQSUSbrnVLe5XuT5OQBxjLH922Rm5OTJ3k6rcrQz6Q3nN37 hBClYcHBlTdnFTfCFsSDMAm2w9njNgLSkF1JaPnWfTPnda8xBmqLwJBDgTEy/a1P kPnbsosyp1/R9cE5Dn7VuFfzEgN/D9/YNbg8KxK63O5GVswc/mSzHT19wb4lgXlF zptvoYHKIyl1KwCw4/tt5fAuI59KRUAYzQKQFTcRZbNcYAEccmKilwIDAQABo4ID FjCCAxIwKQYDVR0RBCIwIIIPKi5hdXRob3JpemUubmV0gg1hdXRob3JpemUubmV0 MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdQBVgdTCFpA2AUrqC5tXPFPwwOQ4 eHAlCBcvo6odBxPTDAAAAXAXNAX7AAAEAwBGMEQCIAOcM5IXfx51+2Ne2ApYlwkw /sHPMPZUSbXYwF6m4P4uAiBZOnqTkH63rvErM3JZ3nLc0om+qqRLriHI5KZxYN4O JQB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABcBc0BggAAAQD AEcwRQIhAJrKOTbyOlcTpELU1FDB844Svqz0BQFO5a8beVuPQoulAiAZwnatMff6 6VGE80UJ8BqHDwPFZOjj5jt4dHtYKonU/AB2AKS5CZC0GFgUh7sTosxncAo8NZgE
+RvfuON3zQ7IDdwQAAABcBc0BgQAAAQDAEcwRQIgbC4cCT2jB38DWbzWobGL4NG1 9BdOTPaWd3acm2v+7yACIQDE2H8U5+65+IMrn5UXRFP/DdSCHNQI/xr7OKEQGDJp 4zAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwx ay5jcmwwSwYDVR0gBEQwQjA2BgpghkgBhvpsCgEFMCgwJgYIKwYBBQUHAgEWGmh0 dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjBoBggrBgEFBQcBAQRc MFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsGAQUF BzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0L2wxay1jaGFpbjI1Ni5jZXIwHwYD VR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHQYDVR0OBBYEFK069bMPyloE nNXcyli5AieCD9MiMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAB2wqZ17 AAmYCO4EnmXWDTp1D9iBbNQxYSnj6oR9w0kMVahQ4Q43rdERaw2BsNWByG2peXP0 GRoOTUr5dpAKu5qa1A4V93Y/pc8RuDM0mxI/EmgzO7D4eSPRvC6735sa6XVDc5mk G9hccypCAR6u+tYeXGTmcYG10zunnHPQIf67zM1INdm+pfMfBc/IzvZ7tVWkfOEQ Wl2C/+i5hcdrIONTWD7QWqmr34kZckq+NLcF0z2M70ZdwvdeWxf1xFjgGfdoakuH PsuQI8XDA9DMc3r4GbTid70rTB+z0DNajMz/jGOm7r/Sp2C8wK+ukrzd9vVpZyf/ Q+GfoA0hiovUxiI=
-----END CERTIFICATE----- 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE----- MIIFDjCCA/agAwIBAgIMDulMwwAAAABR03eFMA0GCSqGSIb3DQEBCwUAMIG+MQsw CQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl IHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD EylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x NTEwMDUxOTEzNTZaFw0zMDEyMDUxOTQzNTZaMIG6MQswCQYDVQQGEwJVUzEWMBQG A1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l dC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAt IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp ZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQ jUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiK m95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhT JbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBt LOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0F ASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDDCCAQgwDgYDVR0PAQH/ BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsG AQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBgNVHR8EKTAnMCWgI6Ah hh9odHRwOi8vY3JsLmVudHJ1c3QubmV0L2cyY2EuY3JsMDsGA1UdIAQ0MDIwMAYE VR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAd BgNVHQ4EFgQUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHwYDVR0jBBgwFoAUanImetAe 733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBADnVjpiDYcgsY9NwHRkw y/YJrMxp1cncN0HyMg/vdMNY9ngnCTQIlZIv19+4o/0OgemknNM/TWgrFTEKFcxS BJPok1DD2bHi4Wi3Ogl08TRYCj93mEC45mj/XeTIRsXsgdfJghhcg85x2Ly/rJkC k9uUmITSnKa1/ly78EqvIazCP0kkZ9Yujs+szGQVGHLlbHfTUqi53Y2sAEo1GdRv c6N172tkw+CNgxKhiucOhk3YtCAbvmqljEtoZuMrx1gL+1YQ1JH7HdMxWBCMRON1 exCdtTix9qrKgWRs6PLigVWXUX/hwidQosk8WwBD9lu51aX8/wdQQGcHsFXwt35u Lcw=
-----END CERTIFICATE----- 2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2 i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE----- MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0 aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1 U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0 jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/ jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----
--- Server certificate subject=C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net
issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
--- No client certificate CA names sent
--- SSL handshake has read 4298 bytes and written 641 bytes Verification: OK
--- New, TLSv1.2, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: A2982432F7DD99178A611C2F5D25409F91236B173AF83B08C0E479142EB590AF
Session-ID-ctx:
Master-Key: ECBB0DEAE245D006AA30D090D9D00B8C937DBECB2F8D1A19EC8B720A5B3A1A946B55FC00C20778E0FD89E6EF98A730E1
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1608845194
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
And I don't see a self-signed cert in there? Or am I on the wrong trail...
The code is simple and you can try it at home to test yourself if you feel inclined.
include AuthorizeNet::API
trx = AuthorizeNet::API::Transaction.new('8Gxa...', '6LKh9...', gateway: :sandbox)
request = CreateCustomerProfileRequest.new
request.profile = CustomerProfileType.new
request.profile.merchantCustomerId = 'abc'
request.profile.description = 'name'
response = trx.create_customer_profile(request)
So I need two things:
Ug it turns out that this is actually expected for the authorize.net sandbox. I need to pass a verify_ssl flag and set it to false.