Closed PerEskilson closed 5 years ago
helmutschneider
commented
5 years ago I'm quite certain Swish uses the same environment for all banks so Swedbank should also require a root certificate. However, your computer may implicitly trust the root certificate because it belongs to a well-known provider (Digicert).
The root certificate along with your other certs can be downloaded from the Swish Certificate Management.
PerEskilson
commented
5 years ago Thanks :)
Med vänlig hälsning Per Gustav Eskilson Mobil: (+46)733-780749
5 aug. 2019 kl. 13:38 skrev Johan Björk notifications@github.com:
I'm quite certain Swish uses the same environment for all banks so Swedbank should also require a root certificate. However, your computer may implicitly trust the root certificate because it belongs to a well-known provider (Digicert).
The root certificate along with your other certs can be downloaded from the Swish Certificate Management.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
PerEskilson
commented
5 years ago I have created a certificate string with 3 certificates at SWISH cert page.
At SWISH page that you refer to, they are very cryptic about what is a client cert.
They talks about one root certificate and two intermediate bank CA certificates
but does not mention what the client certificate consists of (se their text below).
On their test case they are crystal clear and here the supply me with
1 root.pem that consists of a single certificate and one client.pem that consists of one key + 3 certificates.
I quote SWISH home page:
2.6 Download Client Certificate It is possible to download all certificates that have been issued for the merchant/TSand the Swish number that is administered.If a certificate has expired or has been revoked an information message is displayed if a person tries to download it.In order to download a certificate, copy the text in the text area and save it to a file on the merchant web server. The text represents the certificate together with the certificate chain, i.e. the Swish RootCA certificate and two intermediate bank CA certificates, in either PEM or PKCS#7 format.
The generated certificate string from SWISH certfofocate page generates certifcate a string with 3 certificates in total. I suppose the first certificate shall be copied into the root.pem, and certificate 2 and 3 should be put into file client.pem.
But this does not work, and if I look at SWISH test example (which runs excellent with your code), they have 4 certificates in total, where 1 is located in root.pem, and 3 is located in client.pem
This makes me wonder why SWISH own text example user 4 certificates, but I can only generate 3 on their home page ???
Something does not match.
So my real question is:
What is true definition of SWISH root and client certificates respectively.
BRGDS Perr
On 5 Aug 2019, at 13:38, Johan Björk notifications@github.com wrote:
I'm quite certain Swish uses the same environment for all banks so Swedbank should also require a root certificate. However, your computer may implicitly trust the root certificate because it belongs to a well-known provider (Digicert).
The root certificate along with your other certs can be downloaded from the Swish Certificate Management https://developer.getswish.se/content/uploads/2019/03/Swish-Certificate-Management-Guide.pdf.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/helmutschneider/swish-php/issues/16?email_source=notifications&email_token=AMZT2JLLQ4ZIAGDVEC5MNNTQDAGL7A5CNFSM4IJE26VKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3RRQDA#issuecomment-518199308, or mute the thread https://github.com/notifications/unsubscribe-auth/AMZT2JIEHPNEZHGUALLLKYTQDAGL7ANCNFSM4IJE26VA.
helmutschneider
commented
5 years ago I agree with you, it is a shit show. Swish has made this unnecessarily hard by using SSL as a login mechanism. I'll try my best to explain what the certificates mean.
Root Represents an authority that issues signed certificates. For normal web applications this is usually one of the biggies like Comodo, Identrust, Symantec, Godaddy etc. In 99% of cases these are implicitly trusted by your web browser so you never have to agree to anything. The reason this is so hard with Swish is because they are using their own root issuer. This means that your computer won't trust it by default.
Client The client, which is you, needs a mechanic of telling your users "hey, I'm trusted by a big root authority so my application is safe to use". Therefore, you ask a root authority to sign your certificate. Usually you generate this cert yourself, upload it to the root server and receive a signed version back. In this way the root server will also know who you are when talking to it.
PerEskilson
commented
5 years ago Thank you very much, that was very clear. Now I understand the trust issue with SWISH. I have a strong feeling SWISH should review their developer documentation. It needs some revision :)
BRGDS Per
On 8 Aug 2019, at 15:34, Johan Björk notifications@github.com wrote:
I agree with you, it is a shit show. Swish has made this unnecessarily hard by using SSL as a login mechanism. I'll try my best to explain what the certificates mean.
Root Represents an authority that issues signed certificates. For normal web applications this is usually one of the biggies like Comodo, Identrust, Symantec, Godaddy etc. In 99% of cases these are implicitly trusted by your web browser so you never have to agree to anything. The reason this is so hard with Swish is because they are using their own root issuer. This means that your computer won't trust it by default.
Client The client, which is you, needs a mechanic of telling your users "hey, I'm trusted by a big root authority so my application is safe to use". Therefore, you ask a root authority to sign your certificate. Usually you generate this cert yourself, upload it to the root server and receive a signed version back. In this way the root server will also know who you are when talking to it.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/helmutschneider/swish-php/issues/16?email_source=notifications&email_token=AMZT2JMDPARN6EB4ZWKP7KTQDQOHLA5CNFSM4IJE26VKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD33UA2Y#issuecomment-519520363, or mute the thread https://github.com/notifications/unsubscribe-auth/AMZT2JMQNJCCT6J2ECJB3VDQDQOHLANCNFSM4IJE26VA.
PerEskilson
commented
5 years ago Thank you very very much. The application works now in production :)
Med vänlig hälsning Per Gustav Eskilson Mobil: (+46)733-780749
8 aug. 2019 kl. 15:34 skrev Johan Björk notifications@github.com:
I agree with you, it is a shit show. Swish has made this unnecessarily hard by using SSL as a login mechanism. I'll try my best to explain what the certificates mean.
Root Represents an authority that issues signed certificates. For normal web applications this is usually one of the biggies like Comodo, Identrust, Symantec, Godaddy etc. In 99% of cases these are implicitly trusted by your web browser so you never have to agree to anything. The reason this is so hard with Swish is because they are using their own root issuer. This means that your computer won't trust it by default.
Client The client, which is you, needs a mechanic of telling your users "hey, I'm trusted by a big root authority so my application is safe to use". Therefore, you ask a root authority to sign your certificate. Usually you generate this cert yourself, upload it to the root server and receive a signed version back. In this way the root server will also know who you are when talking to it.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
helmutschneider
commented
5 years ago That's great news. Closing this
PerEskilson
commented
4 years ago Hi !
I implemented SWISH handel this summer with Helmut Schneider PHP code and it worked fine. I tried it out and it worked without problems with root.pem and client.pem certificates. I did some trial payments ONLINE with real money on production and it worked fine.
Now, when we go into production SWISH does not work any more. Is there any upgrades I have to do or have they changed certificates ?
In SWISH own guidelines they have 2 certificates in root certificate, while the homepage for CERT only shows 1 ???
I get the following error when I try to issue a payment request.
Slim Application Error
The application could not run because of the following error:
Details
Type: GuzzleHttp\Exception\RequestException Message: Error creating resource: [message] fopen() [function.fopen]: SSL operation failed with code 1. OpenSSL Error messages: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [file] /var/www/tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php [line] 323 [message] fopen() [function.fopen]: Failed to enable crypto [file] /var/www/tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php [line] 323 [message] fopen(https://mss.cpc.getswish.net/swish-cpcapi/api/v1/paymentrequests) [function.fopen]: failed to open stream: operation failed [file] /var/www/tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php [line] 323 File: /var/www/tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php Line: 52
Best Regards Per +46733780749
PerEskilson
commented
4 years ago Forget about the error - I got it working.
On 17 Dec 2019, at 17:35, Per Eskilson per.eskilson@gmail.com wrote:
Hi !
I implemented SWISH handel this summer with Helmut Schneider PHP code and it worked fine. I tried it out and it worked without problems with root.pem and client.pem certificates. I did some trial payments ONLINE with real money on production and it worked fine.
Now, when we go into production SWISH does not work any more. Is there any upgrades I have to do or have they changed certificates ?
In SWISH own guidelines they have 2 certificates in root certificate, while the homepage for CERT only shows 1 ???
I get the following error when I try to issue a payment request.
Slim Application Error
The application could not run because of the following error:
Details
Type: GuzzleHttp\Exception\RequestException Message: Error creating resource: [message] fopen() [function.fopen]: SSL operation failed with code 1. OpenSSL Error messages: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [file] /var/www/tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php http://tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php [line] 323 [message] fopen() [function.fopen]: Failed to enable crypto [file] /var/www/tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php http://tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php [line] 323 [message] fopen(https://mss.cpc.getswish.net/swish-cpcapi/api/v1/paymentrequests https://mss.cpc.getswish.net/swish-cpcapi/api/v1/paymentrequests) [function.fopen]: failed to open stream: operation failed [file] /var/www/tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php http://tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php [line] 323 File: /var/www/tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php http://tangokompaniet.com/pertest.tangokompaniet.com/app/slim/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php Line: 52
Best Regards Per +46733780749
Hi Helmut !
Your code works fine on test and returns a token. I have also created a production Key and CSR according to: openssl req -nodes -newkey rsa:4096 -keyout MYKEY.key -out MYCSR.csr With MYCSR.csr I created a certificate on SWISH cert page. I then conatinated MYKEY.key with the created cerificate hierarchy (Key + 3 cert)
into a file client.pem but I do not have anything for my root.pem, and Swedbank does not require a root.pem. So can I just fill in the root.pen with an empty file or have I missed something ?
I get lost after I created the CERT (3 certs output in one strong) on SWISH cert page and don't know if I choosed the right Key to concat and how I shall deal with the file root.pem