Announcement

Collapse
No announcement yet.

SSL FAILURE - can not call licensemanager

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    SSL FAILURE - can not call licensemanager

    Started this morning - no change to any code.
    Calls as of approx 10:30AM EST were good, sometime after failure began....
    Did I miss an update?


    https://licensemgr.thelicensemanager.com/gateway/gateway.mv -> Unable to open URL 'https://licensemgr.thelicensemanager.com/gateway/gateway.mv': Error establishing SSL connection: certificate verify failed
    https://licensing.smallbusiness.miva.com/gateway/gateway.mv -> Unable to open URL 'https://licensing.smallbusiness.miva.com/gateway/gateway.mv': Error establishing SSL connection: certificate verify failed
    https://licensing2.smallbusiness.miva.com/gateway/gateway.mv -> Unable to open URL 'https://licensing2.smallbusiness.miva.com/gateway/gateway.mv': Error establishing SSL connection: certificate verify failed
    https://licensemgr.miva.com/gateway/gateway.mv -> Unable to open URL 'https://licensemgr.miva.com/gateway/gateway.mv': Error establishing SSL connection: certificate verify failed
    http://licensemgr.miva.com/gateway/gateway.mv
    http://licensemgr2.miva.com/gateway/gateway.mv
    William Gilligan - Orange Marmalade, Inc.
    www.OrangeMarmaladeinc.com

    #2
    Appears to be related to an AddTrust Root CA expiring this morning.
    William Gilligan - Orange Marmalade, Inc.
    www.OrangeMarmaladeinc.com

    Comment


      #3
      The license manager CA cert was updated to replace the expired cert at 8:50a EST; it was expired for about three hours.
      David Hubbard
      CIO
      Miva
      [email protected]
      http://www.miva.com

      Comment


        #4
        I still get the same error at this moment. Something I need to do? MvCall works fine on some servers (at least 3), but fails to Miva and one other.
        William Gilligan - Orange Marmalade, Inc.
        www.OrangeMarmaladeinc.com

        Comment


          #5
          If this is a site hosted by us please email me so we can take a look. If not, then I suspect the issue would be that the sites are using the Empresa legacy certificate bundle and not the operating system's certificate bundle. The Empresa certificate bundle is no longer maintained so new roots and intermediates of the past couple years would not be present, and could cause this. If that is the case, the fix for those sites would be to alter the Empresa config to use the CA File directive to point at the operating system certificate repository instead of the CA Dir directive to point at the Empresa bundle. On RHEL/CentOS the bundle file to use would be /etc/ssl/certs/ca-bundle.crt, and the 3.x config is just cafile=/etc/ssl/certs/ca-bundle.crt (with the previous cadir= commented out)
          David Hubbard
          CIO
          Miva
          [email protected]
          http://www.miva.com

          Comment


            #6
            All good! Thank you. Looks like I missed the announcement regarding the change to cafile. Not for a Miva Merchant install - but rather https://www.orangemailer.co - The Virtual Post Office.
            Buy Postage Online - Print your postage label online quick and easy with Orange Mailer. Online postage printing directly from your office / home printer. Online USPS postage.
            William Gilligan - Orange Marmalade, Inc.
            www.OrangeMarmaladeinc.com

            Comment


              #7
              ILoveHostasaurus What is the correct directive to use on a Windows installation?

              <paths root="c:\xxx" data="c:\xxx" ca="c:\xxx\certs\openssl-1.0" />
              Last edited by Greg B; 06-03-20, 11:53 AM.

              Comment


                #8
                Checking; which version of Windows?
                David Hubbard
                CIO
                Miva
                [email protected]
                http://www.miva.com

                Comment


                  #9
                  For Windows you can update the paths to <paths root="c:\xxx" data="c:\xxx" cafile="c:\xxx\certs\ca-bundle.crt" /> replacing ca= with cafile= as David mentioned above

                  We used the ca-bundle.crt from Mozilla

                  Comment


                    #10
                    Thanks Greg.

                    An additional note; since that file will not receive automated updates on Windows, it would not be a bad idea to have a recurring task (project management system, Outlook reminder for multiple people, etc.) to check and update that CA bundle perhaps annually. The reason is that you could miss out on the addition of new intermediate or trusted root CA's, and that could ultimately result in an outage talking to a payment or shipping gateway the store uses on a per-transaction basis.
                    David Hubbard
                    CIO
                    Miva
                    [email protected]
                    http://www.miva.com

                    Comment

                    Working...
                    X