Verification of SSL Issuer "thawte SSL CA - G2" fails on Debian 8

[razorness]

This issue is not really related to Klarna/PHP-XMLRPC but I guess it's good to know:

This curl exception will be thrown: CURL error: SSL certificate problem: unable to get local issuer certificate when doing request as following:

---CURL INFO---
url: https://payment.testdrive.klarna.com:443/
content_type: 
http_code: 0
header_size: 0
request_size: 0
filetime: -1
ssl_verify_result: 1
redirect_count: 0
total_time: 0.635116
namelookup_time: 0.528931
connect_time: 0.575807
pretransfer_time: 0
size_upload: 0
size_download: 0
speed_download: 0
speed_upload: 0
download_content_length: -1
upload_content_length: -1
starttransfer_time: 0
redirect_time: 0
redirect_url: 
primary_ip: 88.80.182.203
certinfo: 
primary_port: 443
local_ip: 10.20.1.24
local_port: 39457
---END---

System:

• Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) x86_64
• Apache/2.4.10 (Debian)
• PHP Version 5.6.17-0+deb8u1

Curl-Info from php -i:

cURL support => enabled
cURL Information => 7.38.0
Age => 3
Features
AsynchDNS => Yes
CharConv => No
Debug => No
GSS-Negotiate => No
IDN => Yes
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => Yes
SSL => Yes
SSPI => No
TLS-SRP => Yes
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtmp, rtsp, scp, sftp, smtp, smtps, telnet, tftp
Host => x86_64-pc-linux-gnu
SSL Version => OpenSSL/1.0.1k
ZLib Version => 1.2.8
libSSH Version => libssh2/1.4.3

There seems to be no way to register a CA Root Certificate on the fly for requests against Klarna API. You need to set curl.cainfo for cURL in php.ini globally to resolve this issue since Klarna/XMLRPC/Klarna isolates its instance of PhpXmlRpc\Client completely.

[razorness]

A link to corresponding ticket in Debian bug tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812708

[gildebrand]

I have this issue as well currently. How did you solve it?

[razorness]

The only way is to deactivate SSL and hope that the deb package maintainer will release a fixed version. :(

[gildebrand]

I've ben trying to find a way to deactivate it but could not find a working solution. Would you mind pointing me in the right direction?

[razorness]

Here is my code. The good news: I still use SSL. But I had to deactivate the chain of trust.

$klarna = new Klarna();
$klarna->config(
    'id',
    'secret',
    'Country',
    'Language',
    'Currency',
    Klarna::BETA,
    // added this option in my fork to handle UTF-8 correctly
    ini_get('default_charset')   
);

/*
 * Hackish way to deactivate Peer Verification for SSL
 */
$reflClass = new \ReflectionClass($klarna);
$reflProperty = $reflClass->getProperty('xmlrpc');
$reflProperty->setAccessible(true);
/** @var Client $xmlrpc */
$xmlrpc = $reflProperty->getValue($klarna);
$xmlrpc->setSSLVerifyPeer(false);
$reflProperty->setAccessible(false);

For the general problem, take also a look at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774882#34

[gildebrand]

That works great as a workaround. Thank you very much! 😄

BTW, this affects Ubuntu (14.04) as well.