active_merchant
active_merchant copied to clipboard
activemerchant
Figure out a path forward with the CA bundle
Right now, we're not really actively maintaining the CA bundle (see https://github.com/activemerchant/active_merchant/commits/master/lib/certs/cacert.pem). That's fine for people who override the CA bundle anyway, but we should probably come up with an official AM approach, or otherwise actually update the CA bundle.
Okay, so: of the 126 gateways that Spreedly uses, all but one (Ezic) are covered by the default CA list on Ubuntu, CentOS, and macOS. The Git history doesn't seem to provide a good indication of why we are running with our own certificate file in the first place, so I'm assuming it's legacy from before Ruby offered a clean way to check HTTPS certs. So assuming we get similar results for the remaining 84 AM gateways Spreedly doesn't support, how would y'all feel about deleting the CA file, replacing it with per-gateway CAs for the few gateways that need it? Or is there an alternative path we'd feel more comfy with (like having a script that runs once a month, replacing the CA with whatever Mozilla ships or something)?
@bdewater Could you add whoever from Shopify should be part of that convo?
Gateways that I tested (including Ezic, which does need to have its CA in here for now):
- AdyenGateway
- AlliedWalletGateway
- AuthorizeNetGateway
- BalancedGateway
- BanwireGateway
- BarclaycardSmartpayGateway
- BarclaysEpdqExtraPlusGateway
- BeanstreamGateway
- BluePayGateway
- BlueSnapGateway
- BorgunGateway
- BpointGateway
- BraintreeGateway
- BridgePayGateway
- CardConnectGateway
- CardprocessGateway
- CardStreamGateway
- CashnetGateway
- CecabankGateway
- CenposGateway
- CheckoutGateway
- CheckoutV2Gateway
- CitrusPayGateway
- ClearhausGateway
- ConektaGateway
- CreditcallGateway
- CredoraxGateway
- CtPaymentGateway
- CulqiGateway
- CyberSourceGateway
- DataCashGateway
- DibsGateway
- DigitzsGateway
- EbanxGateway
- ElavonGateway
- ElementGateway
- EpayGateway
- EwayGateway
- EwayRapidGateway
- EzicGateway
- FatZebraGateway
- FirstdataE4Gateway
- FirstdataE4V27Gateway
- FirstGivingGateway
- FirstPayGateway
- Flo2cashGateway
- Flo2cashSimpleGateway
- ForteGateway
- GlobalCollectGateway
- GlobalTransportGateway
- HdfcGateway
- HpsGateway
- IatsPaymentsGateway
- IridiumGateway
- IveriGateway
- JetpayGateway
- JetpayV2Gateway
- KushkiGateway
- Latitude19Gateway
- LinkpointGateway
- LitleGateway
- MaxipagoGateway
- MercadoPagoGateway
- MerchantESolutionsGateway
- MerchantPartnersGateway
- MerchantWareVersionFourGateway
- MerchantWarriorGateway
- MercuryGateway
- MicropaymentGateway
- MigsGateway
- MonerisGateway
- MonerisUsGateway
- MundipaggGateway
- NabTransactGateway
- NcrSecurePayGateway
- NetbillingGateway
- NetpayGateway
- NmiGateway
- OgoneGateway
- OpenpayGateway
- OppGateway
- OptimalPaymentGateway
- OrbitalGateway
- PayConexGateway
- PayeezyGateway
- PayexGateway
- PayflowGateway
- PayJunctionV2Gateway
- PaymentExpressGateway
- PaymentezGateway
- PaymillGateway
- PaypalGateway
- PaystationGateway
- PayuInGateway
- PayuLatamGateway
- PinGateway
- PlugnpayGateway
- ProPayGateway
- PsigateGateway
- QbmsGateway
- QuantumGateway
- QuickpayV10Gateway
- QuickpayV4to7Gateway
- QvalentGateway
- RealexGateway
- RedsysGateway
- S5Gateway
- SafeChargeGateway
- SageGateway
- SagePayGateway
- SecureNetGateway
- SecurePayAuGateway
- SecurionPayGateway
- StripeGateway
- TnsGateway
- TransFirstGateway
- TransFirstTransactionExpressGateway
- TrustCommerceGateway
- UsaEpayGateway
- VancoGateway
- veMerchantGateway
- VisanetPeruGateway
- WepayGateway
- WirecardGateway
- WorldpayGateway
- WorldpayUsGateway
This answers my initial question of 'Can we rely upon the cert.pem file in this repo to be up to date?' So my new question is, Do I need to update this file before 3/2/21 when a new leaf certificate is required? If so, how? The directions on a.net are incomplete. They point one to various resources for the new leaf cert but no comprehensive directions for how to actually update a bundled certificate. https://community.developer.authorize.net/t5/News-and-Announcements/Network-Change-Notification-Expiring-Certificate-Update/m-p/74832/highlight/true#M243
FirstdataE4 cert changes are now in play https://support.payeezy.com/hc/en-us/articles/203850459-Maintenance-and-Release-Notes Appreciate if anyone has advice on how to use the Firstdata certs. Putting them in the cacert.pem file has not worked so far so we are still digging for answers to resolving the new SSL connection error on the FirstdataE4Gateway demo endpoint.
These certs need to be added to cacert.pem in order to connect to the demo gateway. Notice the FirstData certs are issued by DigiCert Global G2 TLS RSA SHA256 2020 CA1 which needs to be added along with the updated FirstData certs.
The PR backlog is huge, not sure if a PR would be received on this gem so here are the certs...
DigiCert Global G2 TLS RSA SHA256 2020 CA1
=======================
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgIQCF+UwC2Fe+jMFP9T7aI+KjANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0yMDA5MjQwMDAwMDBaFw0zMDA5MjMyMzU5NTlaMFkxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMzAxBgNVBAMTKkRpZ2lDZXJ0IEdsb2Jh
bCBHMiBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMz3EGJPprtjb+2QUlbFbSd7ehJWivH0+dbn4Y+9lavyYEEV
cNsSAPonCrVXOFt9slGTcZUOakGUWzUb+nv6u8W+JDD+Vu/E832X4xT1FE3LpxDy
FuqrIvAxIhFhaZAmunjZlx/jfWardUSVc8is/+9dCopZQ+GssjoP80j812s3wWPc
3kbW20X+fSP9kOhRBx5Ro1/tSUZUfyyIxfQTnJcVPAPooTncaQwywa8WV0yUR0J8
osicfebUTVSvQpmowQTCd5zWSOTOEeAqgJnwQ3DPP3Zr0UxJqyRewg2C/Uaoq2yT
zGJSQnWS+Jr6Xl6ysGHlHx+5fwmY6D36g39HaaECAwEAAaOCAa4wggGqMB0GA1Ud
DgQWBBR0hYDAZsffN97PvSk3qgMdvu3NFzAfBgNVHSMEGDAWgBROIlQgGJXm427m
D/r6uRLtBhePOTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwdgYIKwYBBQUHAQEEajBoMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKG
NGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RH
Mi5jcnQwewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDA3oDWgM4YxaHR0cDovL2NybDQuZGln
aWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDAwBgNVHSAEKTAnMAcG
BWeBDAEBMAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEB
CwUAA4IBAQB1i8A8W+//cFxrivUh76wx5kM9gK/XVakew44YbHnT96xC34+IxZ20
dfPJCP2K/lHz8p0gGgQ1zvi2QXmv/8yWXpTTmh1wLqIxi/ulzH9W3xc3l7/BjUOG
q4xmfrnti/EPjLXUVa9ciZ7gpyptsqNjMhg7y961n4OzEQGsIA2QlxK3KZw1tdeR
Du9Ab21cO72h2fviyy52QNI6uyy/FgvqvQNbTpg6Ku0FUAcVkzxzOZGUWkgOxtNK
Aa9mObm9QjQc2wgD80D8EuiuPKuK1ftyeWSm4w5VsTuVP61gM2eKrLanXPDtWlIb
1GHhJRLmB7WqlLLwKPZhJl5VHPgB63dx
-----END CERTIFICATE-----
demo.globalgatewaye4.firstdata.com
=======================
-----BEGIN CERTIFICATE-----
MIIHAzCCBeugAwIBAgIQDLQqOJCl+5DSnRuWEZm4nTANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjIw
NjE0MDAwMDAwWhcNMjMwNzE1MjM1OTU5WjB0MQswCQYDVQQGEwJVUzEQMA4GA1UE
CBMHR2VvcmdpYTEQMA4GA1UEBxMHQXRsYW50YTEfMB0GA1UEChMWRmlyc3QgRGF0
YSBDb3Jwb3JhdGlvbjEgMB4GA1UEAxMXZ2F0ZXdheS5wYXllZXp5dGVzdC5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTslOvrsTb2i76vW5YqyVJ
jxd0417JbPtNMXPnZOtyEcOZDVQv0/O2FsZ3TUQmFRicMw4TOHo+P+uuKJsBeGWw
SSes7T6cwxyfu0M4u9JJ1xJz9+P3iKgZY1xZqlXN1rTvp4Y65UkGav/Co8dksVoK
NjkDGIdLyugTNalbfFyvcE+AwqK2lhCJYGnCKat1FVA+/6deNP5xtYK7zca5eonw
uQKzyG4csCbvFGF+xEn/fKbe8LL23LdOVJb0kAqkFxJ1o7xugYgQVlhygk+DAI38
MB+UusD6l4TNePjyzxryXuThUclLo71EmvNnFoz+aDV7eqHENluNgG2iTcvULmgL
AgMBAAGjggOqMIIDpjAfBgNVHSMEGDAWgBR0hYDAZsffN97PvSk3qgMdvu3NFzAd
BgNVHQ4EFgQUF0jWcNMeyflb+/UdVdsbfo+d9LswPQYDVR0RBDYwNIIXZ2F0ZXdh
eS5wYXllZXp5dGVzdC5jb22CGSouZ2F0ZXdheS5wYXllZXp5dGVzdC5jb20wDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBnwYD
VR0fBIGXMIGUMEigRqBEhkJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNl
cnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEtMi5jcmwwSKBGoESGQmh0dHA6
Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEcyVExTUlNBU0hBMjU2
MjAyMENBMS0yLmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIB
FhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYUGCCsGAQUFBwEBBHkwdzAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME8GCCsGAQUFBzAC
hkNodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRM
U1JTQVNIQTI1NjIwMjBDQTEuY3J0MAkGA1UdEwQCMAAwggF/BgorBgEEAdZ5AgQC
BIIBbwSCAWsBaQB3AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAAB
gWAOHlsAAAQDAEgwRgIhAJGhkeCrnUlYyNZg4Hef4TXjFU3XZd/NLn4HMjY5YUFJ
AiEA1TosMHSsg2Z/Dg7iS8TxAxJ0f1m3izgv3vtLNsbA/TkAdwA1zxkbv7FsV78P
rUxtQsu7ticgJlHqP+Eq76gDwzvWTAAAAYFgDh5vAAAEAwBIMEYCIQCDZLoyohDe
DajsO39pJ0qk+aCpbQYGvc1KKl1klc8S9wIhAKTc4gCf9Xtzn/a3W0E0n8V8vBoE
vA63gDbVG80NQfGkAHUAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoA
AAGBYA4ekQAABAMARjBEAiAvHr+GbayYEEsDFPXvxoSKgj7KkmYFdeRXBDCvxyUu
AwIgQJmClsqakQOkanJFkATIDFo3b9fFp56hyyXMRzX1+z4wDQYJKoZIhvcNAQEL
BQADggEBAGagTl513WDR+CZSInem7yR1/bHookSO3cX0cw46GHMi/WkZ/ytF35w9
KJrIX9Q5BxPQGcq99h3AdCsjfwVz5l4gZ6aItPhdUB9forHuaNF0jgWcbrRU5KQs
0H/A1QiOlThyxYhW/zDpyV1ul61sPn4p8z8jdBrUxfkxaS1394R3n+3NWs9+fW6f
gQl7kwyc1lM3/46F2JWPwClYJjOG+t/qHCRZBAxE428YlUNqcyxqkoux/MUFk/Yu
eErXsiWlyuWX1iBWqrXc+yyVbt8RY+hei0lxBYr1QocQ6rAB5629yRnwjvtwD4QL
t4PQfqyKQetPMgXzW6ir/E6TB1qouGY=
-----END CERTIFICATE-----
gateway.payeezytest.com
=======================
-----BEGIN CERTIFICATE-----
MIIHhTCCBm2gAwIBAgIQDFgHlMavzCSNLYITnaQsIjANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjIw
NjE2MDAwMDAwWhcNMjMwNzE3MjM1OTU5WjB/MQswCQYDVQQGEwJVUzEQMA4GA1UE
CBMHR2VvcmdpYTEQMA4GA1UEBxMHQXRsYW50YTEfMB0GA1UEChMWRmlyc3QgRGF0
YSBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiZGVtby5nbG9iYWxnYXRld2F5ZTQuZmly
c3RkYXRhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJFiKEtx
JCM6pk9JNKBYDjTwfzomfTILVjWjueeHRBIB0vDBd3y6miCmSYASbgXRs8VSk4R8
4vrAI5tlGLBF5OahfHaCaajUWP0dyH20WkUiPXf+WQKQFMnMPj6ZZfhXRfYi02mp
A50Zn5LB21qM3jzE9UktpMNeJ56wgznlcCx9D1KYlckL/R35H4/rVVgq7d79Rg4f
a+bQTh6rHvxkbsQCpwMV4hLAFHxKgB0f1biuW6jviUIMNcEdxma2lv+EDjST2LCy
td1UGGKl1/zk4Tknalmj1rt7ixQ4LpBMuKTOZrwTpR6c23d3G8O/Yh2h8tbErVMD
bZ8UVfM8Tt+d1p0CAwEAAaOCBCEwggQdMB8GA1UdIwQYMBaAFHSFgMBmx9833s+9
KTeqAx2+7c0XMB0GA1UdDgQWBBQm6QvWDmL+TQmvbqQOWvgd0ZeowDCBtQYDVR0R
BIGtMIGqgiJkZW1vLmdsb2JhbGdhdGV3YXllNC5maXJzdGRhdGEuY29tgi9wcm92
aXNpb25pbmcuZGVtby5nbG9iYWxnYXRld2F5ZTQuZmlyc3RkYXRhLmNvbYIrYXBp
LXByb3YuZGVtby5nbG9iYWxnYXRld2F5ZTQuZmlyc3RkYXRhLmNvbYImYXBpLmRl
bW8uZ2xvYmFsZ2F0ZXdheWU0LmZpcnN0ZGF0YS5jb20wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBnwYDVR0fBIGXMIGUMEig
RqBEhkJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRM
U1JTQVNIQTI1NjIwMjBDQTEtMi5jcmwwSKBGoESGQmh0dHA6Ly9jcmw0LmRpZ2lj
ZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0yLmNy
bDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9DUFMwgYUGCCsGAQUFBwEBBHkwdzAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tME8GCCsGAQUFBzAChkNodHRwOi8vY2Fj
ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIw
MjBDQTEuY3J0MAkGA1UdEwQCMAAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2
AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABgW2W6GIAAAQDAEcw
RQIhALHk4hlJgbsomxK4CC1jwQoc++NdbCbtuyTAeFanoakbAiBOj94V3QdJ65li
2ykgl61ppSDc+f6whFNAahVbRHcygwB1ADXPGRu/sWxXvw+tTG1Cy7u2JyAmUeo/
4SrvqAPDO9ZMAAABgW2W6HcAAAQDAEYwRAIgCR0iv2F/qB/MFRsahy1L3hbYY/OQ
8F97mwPnyTFz+J8CIFaVc1biUi3he3RD9NDDIzbhY/bp5vwMKEoN5M6qyn7SAHYA
tz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGBbZbobQAABAMARzBF
AiEA2iM1L4BC6qxC/Aj955uh6l/pDQ069PEbFJ9WVKWJ27ICIBYjuqFKduY44f5d
vNRnJ0X71vC2PY+lvhM3SMUgzz7sMA0GCSqGSIb3DQEBCwUAA4IBAQB9YoND7qV2
dwF6CeFQa2y4bbJABBCTJklqseYNW+t63YWdHuemRl4NR0f58JDKCVfoy9DZfocx
w5IwojTH2Tb52pA5KMPad+LHt73GxW7cv1fVrm5/eW8E9YFiJ6+kEkFyL+YC7akX
96FBVh4wPI4ScY1tvEJQt1AGROG3/11A+dLEMSfQMpF2dICRc9bvphE47LtjjlRE
p3IZwkJ2k0HOH34W6ktDVaxyiOEGwAXz3QFActEGrhQimMca1hrQfhc6tUrCa5C6
8YuJbF9otlPF9qDtvYsV04DHTTKDxHsrZkhJ8Q5v9dibn16qFRy4aMLupQOMy4qg
qE0Rk1L1xNAP
-----END CERTIFICATE-----
