Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
wepayCertVerify
WeChat Payment HTTPS Server Certificate Verification - a repo to verify whether your server supports new certificate deployed by Tencent
Why?
From offical anouncement from Tencent about it will be enforcing new certificates for WeChat Payment by updating its own root CA certificates to be DigiCert, and set deadline upto 29 May 2018, we need to proceed with update according to its guideline.
Basically what we need to do is
- Verify whether we do need a further actions to install actual root CA certificates from Wechat Payment or not, if not which means it passed the verification, then we have no need to do anything further. This repo follows guideline as seen here for its verification.
- If not, then we just need to grab root CA certificates as found here then install them onto your server.
So this repo has code to help you verify for 1. If you need to perform 2, then continue reading to find instruction on how to install certificate on your server in this README file.
How to Verify?
- Clone the repo to your computer
- Configure your merchant platform key, and merchant number in
apitest.js. See its corresponding comments inside source file. - Execute
node apitest.js
If you see success as seen in following similar result, you're good to go and no need to perform 2.
<xml>
<return_code><![CDATA[SUCCESS]]></return_code>
<return_msg><![CDATA[ok]]></return_msg>
<sandbox_signkey><![CDATA[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa]]></sandbox_signkey>
</xml>in which value inside sandbox_signkey is 32 hex-char that you will be using in other payment API.
Beware!!
apitest.jsfile is meant to be executed on your system as a testing script. You modify its source code forKEYandMCH_IDbut you should never commit such changes back to your or upstream repository. If you found some enchancements that you want to modify, please make sure to not commit yourKEYandMCH_IDback to repo.
How to List & Install Root CA Certificates On Your Server?
Ubuntu 16.04
List
You can list all of root CA certificates by using the following command (thanks to Stephane Chazelas)
awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crtInstall
Follow insructions here.
In short, you need to manage to get
.crtfile (convertable from.pemfile) then let the system knows path to such certificates.
CentOS 7
List
You can manually take a peek at /etc/ssl/certs/ca-bundle.crt then search for the name of certificate there exactly and namely "DigiCert Global Root CA" or "Baltimore CyberTrust Root CA". If one of either the twos is found, you're most likely good to go. Just make sure with step 1. again to be 100% sure.
Otherwise, we could follow the similar approach done with Ubuntu above by using the following command (thanks to Nathan Basanese)
$ awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crtInstall
Follow instructions here.
License
Abzi.co. MIT