Rich722 Posted April 1, 2015 Share Posted April 1, 2015 On March 31 (yesterday) Authorize.Net began making some changes related to security, starting with the Sandbox ( http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Authorize-Net-Begins-Infrastructure-and-SHA-2-Certificate/ba-p/49615 ). And I (as well as others) discovered yesterday that what was working March 30 was no longer working on March 31 for testing using the Authorize.Net sandbox (I have been using the AIM module, test mode, test cc numbers, and the osCommerce authorize.net module). I tried asking Authorize.Net about this, and they suggested checking with my host (InMotion). I did, and they looked into it and responded that they do meet all the stated requirements on their end, and they suggested I ask the supplier of the osCommerce module for Authorize.net. So, I am asking here. Does something have to change in the osCommerce authorize.net module(s) in order to get working again with Authorize.Net sandbox testing? Thanks Quote Link to comment Share on other sites More sharing options...
clustersolutions Posted April 1, 2015 Share Posted April 1, 2015 Authorize.net prod is working. We received orders today...sandbox and prod should be the same, I hope... Quote Link to comment Share on other sites More sharing options...
Rich722 Posted April 2, 2015 Author Share Posted April 2, 2015 To clustersolutions: As of March 31, 2015, the authorize.net sandbox is NOT the same as the production environment. Authorize.net is making changes, and starting with the sandbox. Quote Link to comment Share on other sites More sharing options...
Bob Terveuren Posted April 2, 2015 Share Posted April 2, 2015 Hi - can you provide a working link to where they are listing the changes? Thanks Quote Link to comment Share on other sites More sharing options...
Rich722 Posted April 2, 2015 Author Share Posted April 2, 2015 Try this link: http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Authorize-Net-Begins-Infrastructure-and-SHA-2-Certificate/ba-p/49615 Quote Link to comment Share on other sites More sharing options...
Bob Terveuren Posted April 2, 2015 Share Posted April 2, 2015 https://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Authorize-Net-Begins-Infrastructure-and-SHA-2-Certificate/ba-p/49615 Quote Link to comment Share on other sites More sharing options...
clustersolutions Posted April 2, 2015 Share Posted April 2, 2015 @@Rich722. Thanks for the info. I probably wouldn't call this a bunch of changes, just necessary security updates...I found you can download Root 2 GeoTrust Cert here... https://www.geotrust.com/resources/root-certificates/ Not a fire for me yet...but it will be once the deadline announcement was made... To clustersolutions: As of March 31, 2015, the authorize.net sandbox is NOT the same as the production environment. Authorize.net is making changes, and starting with the sandbox. Quote Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 3, 2015 Share Posted April 3, 2015 @@Rich722 They are just changing which ssl certs will work with their site. All such companies are doing it. Test your site on this page. If it does not show your cert is using SHA1, you should be OK. If it is, you have to upgrade your ssl certificate. Quote Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Rich722 Posted April 3, 2015 Author Share Posted April 3, 2015 @@Jack_mcs Thanks for the comment and the link, but I still have the problem (and I am a novice when it comes to this security stuff). The link, as best I can tell, is checking the host server setup, which is at InMotion. When I used the link you provided, in the first section "Server Key and Certificate #1", it says the signature algorithm is SHA256withRSA, which seems okay. I had also previously asked InMotion to check the details from Authorize.Net, and InMotion said their setup was okay with respect to the changes. So I don't think my problem is at the server. I suspect it is somewhere inside the osCommerce authorize.net add-on module, but of course that is mere guessing. In the osCommerce Admin panel, I tried setting "Verify SSL Certificate" to false, and then that DID work, and I got to checkout_success. However, when "Verify SSL Certificate" is set to true, I get the display "There is an error processing your credit card. Please try again, and if problems persist, try another payment method." So it seems (at least to me) that there is something related to SSL that is not right, but it is not at the InMotion server. Quote Link to comment Share on other sites More sharing options...
Rich722 Posted April 3, 2015 Author Share Posted April 3, 2015 @@clustersolutions Thanks for your reply. Take a look at my response to Jack_mcs for some details. I am a novice at this. I don't know whether I want a pem file or a cer file, and once I get it, I don't know where to put it. I am using the osCommerce add-on module for authorize.net AIM, version 2.1. Quote Link to comment Share on other sites More sharing options...
Rich722 Posted April 3, 2015 Author Share Posted April 3, 2015 @@clustersolutions To add a little bit more to my earlier response to you, I have found two files in my directory tree that might be relevant: authorize.net.crt (came as part of the osCommerce authorize.net AIM 2.1 add-on module) and cacert.pem. It looks to me like the latter one is not used if the first one exists, which it does. Quote Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 3, 2015 Share Posted April 3, 2015 Check your authorize.net file to be sure it is not using an IP for connecting. Also, not all authorize.net modules will work in all versions of oscommerce. If you are sure this module was working before, then it should work now. But if you are not sure, it may be the module is not compatible with your shop. Quote Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Rich722 Posted April 3, 2015 Author Share Posted April 3, 2015 @@Jack_mcs Thanks for your reply. I had already checked the authorize.net file and it is not using IP addresses. (Note that it DOES correctly authorize a payment if I set "Verify SSL Certificate" to false, but it won't work if that is set to true.) Yes, I am sure it worked on March 30 with "Verify SSL Certificate" set to true. This was also (unfortunately for me) just my first day of successful testing after establishing the authorize.net sandbox account. And on March 31, it no longer worked, unless I turn off SSL certificate verification. And my hosting service insists the problem is not on their side. Quote Link to comment Share on other sites More sharing options...
Jack_mcs Posted April 3, 2015 Share Posted April 3, 2015 Then I think you need to contact authorize.net and ask them to explain the problem. They can see attempts to connect so they may be able to determine the cause. You could also try a different authorize.net module. Quote Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
clustersolutions Posted April 3, 2015 Share Posted April 3, 2015 @@Rich722, I am running AIM 2.0 and your right that it has problem with the test server. SSL true it works on prod server but not test...will look into it some more and will let u know if I find anything...Tim Quote Link to comment Share on other sites More sharing options...
clustersolutions Posted April 3, 2015 Share Posted April 3, 2015 @@Rich722, look at this block of codes...the pem file should be in the include dir... if ( file_exists(DIR_FS_CATALOG . 'ext/modules/payment/authorizenet/authorize.net.crt') ) { curl_setopt($curl, CURLOPT_CAINFO, DIR_FS_CATALOG . 'ext/modules/payment/authorizenet/authorize.net.crt'); } elseif ( file_exists(DIR_FS_CATALOG . 'includes/cacert.pem') ) { curl_setopt($curl, CURLOPT_CAINFO, DIR_FS_CATALOG . 'includes/cacert.pem'); } I run the OSCBS and the cacert.pem already included the GeoTrust Root 2 cert...I think mine has to do with my setup...but I will have to spent more time looking at the log file and troubleshoot...I'll do that after Easter weekend...got orders to process and going camping for the weekend... Will keep u posted...or let me know when u find out the issue...thx! Tim Quote Link to comment Share on other sites More sharing options...
Rich722 Posted April 3, 2015 Author Share Posted April 3, 2015 @@clustersolutions THANKS for your response. It is great to find out that somebody else sees the same problem I do (and I am still stuck). I also had finally seen the code you listed above. The way I read that code, though, the pem file doesn't get used unless the authorize.net.crt file is missing; however, at least in my installation, the authorize.net.crt file is indeed there. (And it is the one that came with the osCommerce Authorize.net AIM add-on, version 2.1.) I too won't be working on this over the weekend. Quote Link to comment Share on other sites More sharing options...
Bob Terveuren Posted April 6, 2015 Share Posted April 6, 2015 Hi Rich You have that right - try renaming the .crt file to something lime .crtxxx and test - the new key that was published on Github by auth.net - https://github.com/AuthorizeNet/sdk-php/blob/master/lib/ssl/cert.pem in response to the thread https://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Authorize-Net-Begins-Infrastructure-and-SHA-2-Certificate/ba-p/49615 is held within the .pem file (or at least it is in the latest osCommerce) - that may do the trick for you Quote Link to comment Share on other sites More sharing options...
Rich722 Posted April 6, 2015 Author Share Posted April 6, 2015 Bob, I tried what you suggested, but still no luck. I went to Github, got the new pem file, replaced my existing pem file with that one, then renamed that authorize.net.crt file so that the add-on AIM module would not find it and use the pem file instead. But still it does not get any valid response from authorize.net. The add-on module provides the following response from authorize.net: [x_response_code] => -1 [x_response_subcode] => -1 [x_response_reason_code] => -1 This is what I have been getting ever since March 31, UNLESS I set "Verify SSL Certificate" to false in the osCommerce admin section for authorize.net. Quote Link to comment Share on other sites More sharing options...
Rich722 Posted April 6, 2015 Author Share Posted April 6, 2015 Bob, ClusterSolutions, My configuration is finally working (!) for the first time since the March 31 security-related changes at authorize.net. However, I am not completely sure why. For one thing, I ended up copying that new pem file to both the existing cacert.pem and the authorize.net.crt file (are they functionally the same thing?) And, I went back to the original default osCommerce pages to test this so that none of my modified osCommerce pages and database would be involved. Anyway, thanks for the input. Quote Link to comment Share on other sites More sharing options...
clustersolutions Posted April 7, 2015 Share Posted April 7, 2015 @@Rich722... Include the new Root 2 Geo Trust Global CA in the authorize.net.crt file as replacing it will wipe out the other certs...for some reason the Root 2 Geo Trust Global CA isn't in either of the default files. I would just make the change in the authorize.net.crt file and leave the cacert.pem file alone. The if block reads from the authorize.net.crt file or the cacert.pem file. Mines working as well...also make sure that your SSL is SSH2...and follow the Authorize.net instructions you should be good to go...Thx for letting me know! Tim Rich722 1 Quote Link to comment Share on other sites More sharing options...
Rich722 Posted April 8, 2015 Author Share Posted April 8, 2015 @@clustersolutions Thanks! Quote Link to comment Share on other sites More sharing options...
Tsentralka Posted June 13, 2015 Share Posted June 13, 2015 (edited) I'm having similar problems as you are describing here. Hopefully, your experience in overcoming them can point me in the right direction. I am using authroize.net AIM module 2.1 (in oscommerce 2.3.4). I am able to run test transaction through my testing account. However, when I try this in the live merchant account, I get the following error: There has been an error processing your credit cardPlease try again and if problems persist, please try another payment method. I get this error whether the "Verify SSL Certificate" option is set to true or false. Furthermore, when I test the API Server Connection on the admin side, I get the following error: "Failed! Please review the Verify SSL Certificate settings and try again." So this does appear to be a SSL verification problem. My hosting and SSL certificate are through GoDaddy, but it is a SHA-2 based certificate (see below) so it ought to work...right? "Valid until Tue, 07 Jun 2016 21:32:38 UTC (expires in 11 months and 25 days) Key RSA 2048 bits (e 65537) Weak key (Debian) No Issuer Go Daddy Secure Certificate Authority - G2 Signature algorithm SHA256withRSA" Finally, I have tried to add the Root 2 Geo Trust Global CA to the authorize.net.crt file but this has not helped. In contacting both Authorize.net and GoDaddy multiple times, they both claim that everything is good on their ends (which may or may not be true). Any ideas? Thanks, Tsentralka Edited June 13, 2015 by Tsentralka Quote Link to comment Share on other sites More sharing options...
clustersolutions Posted June 15, 2015 Share Posted June 15, 2015 @@Tsentralka, if you have added the Root 2 Geo Trust Global CA correctly to the authorize.net.crt file then it should work. Why don't you also add it to the cacert.pem file just as well. Other than that you may want to get someone to look at the install if this is causing you conversions... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.