SSL errors using MailChimp’s API

by

Having spoken to MailChimp, the certificate they’re still (Jan 2016) using – for compatibility reasons, they told me – is the GTE CyberTrust Global Root (note GTE was bought by Digicert), so you don’t need to replace the entire bundle, just add or force PHP to read this certificate:

https://gte-cybertrust-global-root.digicert.com/info/index.html

(note you’ll get an ‘insecure connection’ warning if you try and load that in Firefox, for hopefully obvious reasons – you can add an exception.)

It’s in standard .crt format, which is what you need. Guide to certificate formats

You didn’t specify what the server was but here’s how to add an extra one on Linux without having to replace an entire bundle etc:

On Debian/Ubuntu, certificates live in /etc/ssl/certs/

  1. Copy and paste the signature into a new file in that directory, e.g. mailchimp-legacy.crt
  2. run sudo c_rehash /etc/ssl/certsWhat’s going on here: c_rehash calculates a short hash of each certificate and creates a symlink from that to the original .pem or .crt file. Basically it’s a quick lookup table for openssl – openssl will perform the hash as well and look for the symlink, rather than having to have a database of certificate names or open every file in turn to find the right one.
  3. check it’s worked with this: ls -lh *.0 | grep 'mailchimp-legacy.crt'

You should see something like this:

lrwxrwxrwx 1 root root 20 Feb 13 14:17 4d654d1d.0 -> mailchimp-legacy.crt
lrwxrwxrwx 1 root root 20 Feb 13 14:17 c692a373.0 -> mailchimp-legacy.crt

Alternatively: On Debian, there’s also a file called /etc/ca-certificates.conf and the exclamation mark in the line !mozilla/GTE_CyberTrust_Global_Root.crt indicates not to use that one. I believe it’s possible to put a copy of the certificate with that name under /usr/share/ca-certificates/mozilla and run sudo update-ca-certificates, but it seems to me it be likely to be removed again when the package & config file are next updated.

Remember to remove any workarounds you were using – e.g.
– old CA bundles in your certificate directory
– anywhere you override CURLOPT_CAINFO in your PHP
– an openssl.cainfo line in your php.ini

Check your application works correctly. I didn’t need to restart PHP or my webserver, the change was instant. Worth using apt-get update/upgrade to check you have the most recently certificate packages.

Here’s a way to verify SSL connection (and verification) to a specific server from the command line:

echo GET | openssl s_client -CApath /etc/ssl/certs/ -connect us3.api.mailchimp.com:443 2>&1

Monitoring: (updated) MailChimp’s v2.0 API (deprecated) has an endpoint called helper/ping which returns some text to indicate the API status – useful as an automated test of API health and that your certificates are all still working. If you’re using v3.0, they recommend using the API Root Resource and appending ?fields=account_name if you don’t actually need to check any of the data.

Someone asked in the comments if this was related to Heartbleed. No. Heartbleed is an openssl vulnerability related to eavesdropping on data in RAM. Mozilla removed GTE CyberTrust (twice) because they wanted to remove all 1024-bit root certificates – research has suggested a nation state could break a 1024-bit prime.

More Related Contents:

  1. How do you sign a Certificate Signing Request with your Certification Authority?
  2. Is a HTTPS query string secure?
  3. Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
  4. “The underlying connection was closed: An unexpected error occurred on a send.” With SSL Certificate
  5. Import certificate as PrivateKeyEntry
  6. How to do a https request with bad certificate?
  7. Third-Party Signed SSL Certificate for localhost or 127.0.0.1?
  8. How to Configure SSL for Amazon S3 bucket
  9. Use self signed certificate with cURL?
  10. How to force SSL for Kubernetes Ingress on GKE
  11. Ignore SSL certificate errors in Xamarin.Forms (PCL)
  12. How can I create keystore from an existing certificate (abc.crt) and abc.key files?
  13. Specifying trust store information in spring boot application.properties
  14. Nginx configuration leads to endless redirect loop
  15. Why does my wss:// (WebSockets over SSL/TLS) connection immediately disconnect without giving any errors?
  16. Enabling SSL with XAMPP
  17. pip always fails ssl verification
  18. How to add subject alernative name to ssl certs?
  19. Insecure content in iframe on secure page
  20. kubectl unable to connect to server: x509: certificate signed by unknown authority
  21. Difference between self-signed CA and self-signed certificate [closed]
  22. PushSharp APNS production: The credentials supplied to the package were not recognized (development works fine though)
  23. Google App Script – MySql 8 – JDBC Connection Failed
  24. Self-signed SSL Cert or CA? [closed]
  25. curl: Unknown error (0x80092012) – The revocation function was unable to check revocation for the certificate
  26. Generating client side certificates in browser and signing on server
  27. Jenkins Windows slave connection getting terminated with java.nio.channels.ClosedChannelException
  28. SSLHandshakeException: Received fatal alert: handshake_failure when setting ciphers on tomcat 7 server
  29. What is CA certificate, and why do we need it?
  30. PayPal IPN acknowledgements failing with SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Leave a Comment