topic Re: SSL peer certificate or SSH remote key was not OK in Integration and Testing

SSL peer certificate or SSH remote key was not OK

BrandonM — Tue, 22 Apr 2014 20:02:48 GMT

I have a production site that worked fine with authorize.net up until about 2:00PM EST today. cURL is throwing back a "SSL peer certificate or SSH remote key was not OK" error when attempting to post data to https://secure.authorize.net/gateway/transact.dll.

I am the only developer on the site, and I have not logged in at all today until someone reported an issue where they could not complete their transaction. Can anyone provide me with any direction? I have tried restarting the entire device just for good measure. No luck.

Re: SSL peer certificate or SSH remote key was not OK

Lilith — Tue, 22 Apr 2014 20:40:25 GMT

I'm presuming this is for an inbound API call for AIM or DPM. If wrong, please let me know.

We haven't made any SSL changes to the Transact servers in about a year. Did you confirm you have up-to-date Entrust CA certificates in your key store?

Re: SSL peer certificate or SSH remote key was not OK

Mrpbody4 — Tue, 22 Apr 2014 20:50:25 GMT

Hello,

We also have a machine that started reporting the same errors at approximately 1PM CST today.

Can someone please advise?

Gerald Bauer

JB Systems, LLC

Re: SSL peer certificate or SSH remote key was not OK

Mrpbody4 — Tue, 22 Apr 2014 21:12:35 GMT

Additional details from CURL request:

string(0) "" array(20) { ["url"]=> string(49) "https://secure.authorize.net/gateway/transact.dll" ["content_type"]=> NULL ["http_code"]=> int(0) ["header_size"]=> int(0) ["request_size"]=> int(0) ["filetime"]=> int(-1) ["ssl_verify_result"]=> int(1) ["redirect_count"]=> int(0) ["total_time"]=> float(0.000953) ["namelookup_time"]=> float(5.7E-5) ["connect_time"]=> float(0.000999) ["pretransfer_time"]=> float(0) ["size_upload"]=> float(0) ["size_download"]=> float(0) ["speed_download"]=> float(0) ["speed_upload"]=> float(0) ["download_content_length"]=> float(-1) ["upload_content_length"]=> float(-1) ["starttransfer_time"]=> float(0) ["redirect_time"]=> float(0) } SSL peer certificate or SSH remote key was not OK
Array ( [url] => https://secure.authorize.net/gateway/transact.dll [content_type] => [http_code] => 0 [header_size] => 0 [request_size] => 0 [filetime] => -1 [ssl_verify_result] => 1 [redirect_count] => 0 [total_time] => 0.000953 [namelookup_time] => 5.7E-5 [connect_time] => 0.000999 [pretransfer_time] => 0 [size_upload] => 0 [size_download] => 0 [speed_download] => 0 [speed_upload] => 0 [download_content_length] => -1 [upload_content_length] => -1 [starttransfer_time] => 0 [redirect_time] => 0 )

Re: SSL peer certificate or SSH remote key was not OK

Lilith — Tue, 22 Apr 2014 21:18:44 GMT

Could you please share HTTPS log data, please, so we can see where your SSL configuration is failing?

I believe on IIS-based servers you may need to enable WinHTTP logging first, then check the log for SSL/TLS errors. There are similar steps you may need to take on Apache servers.

Re: SSL peer certificate or SSH remote key was not OK

Mrpbody4 — Tue, 22 Apr 2014 21:19:23 GMT

Certainly. Just a few moments please...

Re: SSL peer certificate or SSH remote key was not OK

Mrpbody4 — Tue, 22 Apr 2014 21:24:08 GMT

It appears our machine is not setup for logging this.
Any tips?

Re: SSL peer certificate or SSH remote key was not OK

Mrpbody4 — Tue, 22 Apr 2014 21:38:50 GMT

Our server started establishing connections again. We rebooted Apache a couple of times through this process, otherwise

no significant changes were made.

Was something done on Authorize's end?

Re: SSL peer certificate or SSH remote key was not OK

Lilith — Wed, 23 Apr 2014 16:14:06 GMT

As I mentioned, we haven't made any SSL configuration changes to the Transact servers in about a year. That's why I was asking for logs, so we can see exactly where the SSL negotiation is breaking down.

Re: SSL peer certificate or SSH remote key was not OK

aniemi — Wed, 23 Apr 2014 16:57:57 GMT

We're also experiencing this issue. No changes have been made on our servers.

When trying to curl from command line:

curl https://secure.authorize.net/gateway/transact.dll
curl: (51) SSL peer certificate or SSH remote key was not OK

What other logs would you like to see?

Thanks

Re: SSL peer certificate or SSH remote key was not OK

aniemi — Wed, 23 Apr 2014 18:15:02 GMT

Strangely enough I was able o fix this problem by changing our DNS on the server from using OpenDNS to Google.

I'm not sure why/how, but it appears OpenDNS is having an issue.

HTH

Re: SSL peer certificate or SSH remote key was not OK

BrandonM — Wed, 23 Apr 2014 22:01:08 GMT

Changing our DNS from OpenDNS to Google DNS resolved the issue for us yesterday as well. Could have saved you some troubleshooting by replying yesterday, but I was swamped. Not sure what to really make of this, but it worked.

Re: SSL peer certificate or SSH remote key was not OK

Lilith — Thu, 24 Apr 2014 15:37:09 GMT

That's odd that OpenDNS was causing issues, but not Google DNS.

I did a cursory poke at the DNS A records showing up on both servers and compared it to my local DNS A records, and they show the same IP addresses, so I'm not sure where the discrepancy lies.

But I'm glad to know there is at least a workaround.

Aniemi, to answer your earlier question about curl: If you use the --verbose (-v for short) flag, it should dump every step of establishing the connection, including DNS lookup, SSL/TLS negotiation, and of course the raw HTTP data.

I find it sometimes useful to run "curl -v https://secure.authorize.net/gateway/transact.dll" to troubleshoot connection issues to us, and it may have exposed the OpenDNS issue you've now noticed.