Equifax подтверждает api.sandbox.ewaypayments.com
. Вы знаете, что из-за Екифакс является Эмитент в два уровня (см 2 i:
ниже):
$ openssl s_client -connect api.sandbox.ewaypayments.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe/OU=GT69801168/
OU=See www.rapidssl.com/.../CN=api.sandbox.ewaypayments.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
...
Перейти к GeoTrust Root Certificates, и скачать Root 1 - Equifax Secure Certificate Authority. Его имя по умолчанию - Equifax_Secure_Certificate_Authority.pem
.
Теперь запустите s_client
еще раз. Но на этот раз используйте опцию -CAfile
. Заметьте, что вы закончили с Verify return code: 0 (ok)
.
$ openssl s_client -connect api.sandbox.ewaypayments.com:443 -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = heE9O2tltnG/R8itCXJOsm8M-n1x0sDe, OU = GT69801168, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = api.sandbox.ewaypayments.com
verify return:1
---
...
Так что ваша работа состоит в том, чтобы подключить Equifax Secure Certificate Authority в жрать или Curl. Вместо файла cacerts.pem
вам нужно использовать только Equifax_Secure_Certificate_Authority.pem
, так как это CA, который сертифицирует сайт.
Так что я полагаю, вы код будет выглядеть так:
$opts[CURLOPT_CAINFO] = __DIR__ . '/Resources/Equifax_Secure_Certificate_Authority.pem';
При желании, вы можете cat
на сертификат Equifax в cacert.pem
, но я бы не рекомендовал его:
$ cat Equifax_Secure_Certificate_Authority.pem >> Resources/cacert.pem
$ openssl s_client -connect api.sandbox.ewaypayments.com:443 -CAfile Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = heE9O2tltnG/R8itCXJOsm8M-n1x0sDe, OU = GT69801168, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = api.sandbox.ewaypayments.com
verify return:1
---
Certificate chain
0 s:/serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe/OU=GT69801168/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=api.sandbox.ewaypayments.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPjCCBCagAwIBAgIDFM3cMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTQwODI0MDUxNTE4WhcNMTUxMTI2MDU0NzM4WjCByzEpMCcGA1UEBRMgaGVF
OU8ydGx0bkcvUjhpdENYSk9zbThNLW4xeDBzRGUxEzARBgNVBAsTCkdUNjk4MDEx
NjgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMSUwIwYDVQQDExxhcGkuc2FuZGJveC5ld2F5cGF5bWVudHMuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkdAtu8bclON50W7iy4idaXok
NIwakZQiOv0P2++fVGMgHdE97zVL1oOCvFyIjMM4Tec6OMpAdIyWpivTYv1fG+Ak
dtt53JiipL1nbRpyR3BMy6HZDUuiY7h23O0eEiV1QXt8EIbXlSXF6StLnvRfoSaA
2g2HnglOgtNSYKzUY0+m6174vm4dtejGrCuiLQ5a+jGpeQPGQC7ZHYbLeVuZ3TJ4
7+6JlYTtmwuTpGHcC2Vac7TKWqf10I3gT6nqMaImsgJAcnMn5zblYeGR2wzcIK0Y
9GfxNNvCO5VtNS4ZGJ4//newHKyjKa02dBKu1VG4us84bR+PNN66xSv2NrJ2oQID
AQABo4IBtzCCAbMwHwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgNV
HREEIDAeghxhcGkuc2FuZGJveC5ld2F5cGF5bWVudHMuY29tMEMGA1UdHwQ8MDow
OKA2oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFw
aWRzc2wuY3JsMB0GA1UdDgQWBBSttX4dSHpDQ8i8UhLPCKagSwI0bjAMBgNVHRMB
Af8EAjAAMHgGCCsGAQUFBwEBBGwwajAtBggrBgEFBQcwAYYhaHR0cDovL3JhcGlk
c3NsLW9jc3AuZ2VvdHJ1c3QuY29tMDkGCCsGAQUFBzAChi1odHRwOi8vcmFwaWRz
c2wtYWlhLmdlb3RydXN0LmNvbS9yYXBpZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpg
hkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29t
L3Jlc291cmNlcy9jcHMwDQYJKoZIhvcNAQEFBQADggEBAHPzeBWb4JHduYBMlfjS
KnWC9XuGGanEhibB4llJfdwn19YyUpzICsCIPZtAUe0+pXfG3n2mLbRouLy8FDse
HD/fHYSGv1V1E69S78kD28cTHFGqsfHjfoo5rsY/aYpZQ55gaCEle11LCvmH6Qe7
Y8is2OiV5VzsOea8kMAPCNnZk/bxLfPQFqNkzJZU03F+Mwayc821AKbg+MubXGW2
8r5/RtLrqzpYUvpwbq1e4rwqedQ3tdGT7IlaUawVRTKVl+xccTO2AfVrVAbuDtlo
0h0Y+qGsJhhFRxRULRCbcxqcgZVOqO2JnEXCjLCBg3ucLnneLN3wrLgzq7j8q6aI
5/c=
-----END CERTIFICATE-----
subject=/serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe/OU=GT69801168/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=api.sandbox.ewaypayments.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4207 bytes and written 506 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: DD7775A6CE6031234C07C11FD8EB297BD3936C4B5C630217EA7658D86A89A89D
Session-ID-ctx:
Master-Key: 28FE5406F41EAC68000D949D101EE3FED1753AFBB77E2853314D8436CA22D80FBA656976DF17E9C3A0DB3E9CEE4365B1
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6d 7c 92 08 26 2d 51 a7-93 e5 d9 f3 ca 35 e9 c3 m|..&-Q......5..
0010 - ad 36 7b 52 bd 24 fc 06-f5 66 0f 15 f4 6c 90 a8 .6{R.$...f...l..
0020 - 86 07 5b 90 b4 eb bd c7-63 73 0a 71 6c b7 17 eb ..[.....cs.ql...
0030 - 5a c5 21 5d 88 5e ff 74-76 55 0a fc 3d 5a 9e a6 Z.!].^.tvU..=Z..
0040 - 20 70 b6 c9 f6 61 d6 87-f2 58 14 c4 ef 1a 52 9b p...a...X....R.
0050 - cc 11 0c c3 52 7c 8a 72-cf 6c 2e fb 26 ad 38 97 ....R|.r.l..&.8.
0060 - 67 54 f3 70 b1 49 36 e9-34 c1 fb 51 5a 1c ee 7f gT.p.I6.4..QZ...
0070 - 22 61 73 dc 75 0e f1 ff-33 47 7a 1e 6a 92 8b b6 "as.u...3Gz.j...
0080 - 20 4e 0a a8 bd 3a 53 04-56 af de 7d 65 a8 09 db N...:S.V..}e...
0090 - 7d 2d 9e 91 df cd f2 6b-f9 ba 57 ff 37 8c 09 0b }-.....k..W.7...
Start Time: 1409189687
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Спасибо, это исправлено! Теперь я могу использовать $ opts [CURLOPT_CAINFO] = __DIR__. '/Resources/cacert.pem'; который пришел с Гузллом. –