PHP + cURL + CA bundle + Plesk = SSL issue?

I corrected an issue with the above products on my friend’s server today. Supposedly, the payment processor changed the SSL certificate used by their payment server and broke cURL payment processing for clients. The server in question was running Plesk 8.1.1 and CentOS.

Since the fix isn’t published online, I’ll post my fix here.

I noticed quite a few posts mentioned the cURL ‘-k’ or ‘–insecure’ flag, which does not verify the SSL certificate (eg. if a self-signed certificate is being used). If you can’t verify a SSL certificate, then its authenticity is questionable. The ‘-k’ flag does NOT send communications in clear-text, as I previously noted (sorry!). That’s not something I approve of, nor something I would recommend to a friend or client.

So, what to do? First of all, I determined the path to the cURL CA bundle on the system.

grep -ir “curl” /etc
/etc/init.d/psa:CURL_CA_BUNDLE_FILE=/usr/share/curl/curl-ca-bundle.crt

From the output above, we determine that Plesk is looking for the cURL CA bundle in /usr/share/curl/ and that the filename should be curl-ca-bundle.crt.

Next, we need to download cacert.pem from http://curl.haxx.se/docs/caextract.html. I recommend using wget to download it to your server directly. You will need to rename the file to curl-ca-bundle.crt once it’s downloaded.

Copy curl-ca-bundle.crt to /usr/share/curl. If you get an error stating the path doesn’t exist, then you will need to create it using mkdir -p /usr/share/curl. Once the path exists, copy the file to the new path: cp curl-ca-bundle.crt /usr/share/curl.

This is where it gets tricky. Open curl-ca-bundle.crt in vim or your favorite editor and search for “Equifax Secure Global eBusiness CA”. Copy everything in the block, including that text and including END CERTIFICATE. We need to copy that block to one more file (search for ca-bundle.crt on your system): /usr/share/ssl/certs/ca-bundle.crt. Append the block to the bottom of the file. Remember to press ENTER after the last line. Of course, remember to ask your payment processor who their SSL vendor is and use the correct block.

Next, simply restart the Apache process: service httpd restart

That’s it. You should now be able to process transactions using cURL and SSL.