Question posted in 
There are a ton of posts about this. I have looked at so many of them. Zero of the fixes seem to work.
(main)> PayPal::SDK::Subscriptions::Plan.all
Request[post]: https://api.sandbox.paypal.com/v1/oauth2/token
Request.body=grant_type=client_credentials request.header={"User-Agent"=>"PayPalSDK/PayPal-Subscriptions-Ruby-SDK 0.3.1 (paypal-sdk-core 1.7.4; ruby 2.6.6p146-x86_64-linux;OpenSSL 1.1.1d 10 Sep 2019)", "Content-Type"=>"application/x-www-form-urlencoded", "Authorization"=>"Basic xxx"}
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
from /usr/local/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock'
I have tried rvm 2.6.6, 2.7.0, and Debian Buster system ruby.
I followed all of these:
https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#troubleshooting-certificate-errors
I ran the automated SSL check and everything is roses:
https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#automated-ssl-check
root@19ab47f15632:/usr/src/app# curl -Lks 'https://git.io/rg-ssl' | ruby
Here's your Ruby and OpenSSL environment:
Ruby: 2.6.6p146 (2020-03-31 revision 67876) [x86_64-linux]
RubyGems: 3.0.3
Bundler: 2.1.2
Compiled with: OpenSSL 1.1.1d 10 Sep 2019
Loaded version: OpenSSL 1.1.1d 10 Sep 2019
SSL_CERT_FILE: /usr/lib/ssl/cert.pem
SSL_CERT_DIR: /usr/lib/ssl/certs
With that out of the way, let's see if you can connect to rubygems.org...
Bundler connection to rubygems.org: success ✅
RubyGems connection to rubygems.org: success ✅
Ruby net/http connection to rubygems.org: success ✅
Hooray! This Ruby can connect to rubygems.org. You are all set to use Bundler and RubyGems. 👌
I tried gem update --system, bundler is updated.
I tried curling the new CA to the location of ruby’s default SSL file:
curl -fsSL curl.haxx.se/ca/cacert.pem -o "$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')"
I checked that my system’s time was accurate (it’s accurate to UTC).
I have no earthly idea what to do from here. The PayPal SDK subscription gem is using net/http under the covers because it relies on the core PayPal SDK gem. I tried increasing the loglevel to DEBUG but it prints out no additional details as it appears to fail in the same exact place, and I can’t figure out where that failure actually is.
I’m at a loss. Short of disabling SSL verification, I don’t know what to do. Is there some way to get more traceback / more error here to troubleshoot further? Using net/http directly against the PayPal API works fine (no SSL error). So it’s something that happens after the initial request
6
Answers
I’m leaving this here, but the answer by RidingRails is what I consider "correct". It is the proper solution to dealing with this longer-term, although the real solution is to move to PayPal’s newer gem.
My answer below is to help you quickly get PayPal working again without having to push out an update to your code.
This is really ugly, as PayPal packages the certs with their gem. To get up and running, you need to find the gem in your bundle and specifically find the file "paypal.crt". At the end, you need to add the two certificates that are missing. I am not going to copy/paste them here, but they are easily found. Actually, they were already on my Ubuntu system in /etc/ssl/certs:
DigiCert_Global_Root_G2.pem
DigiCert_High_Assurance_EV_Root_CA.pem
PayPal provides links here:
https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240
Steps to fix:
Find the paypal.crt file in the version of the gem that you are using. Here’s what that looked like for me:
cd app/production/shared/bundle
find . -name paypal.crt
At this point, I had a file in version 1.7.3 and 1.7.4 of the gem. I’m using the 1.7.4 version, so I edited that file.
Add those two certificates to the bottom. You should put the name of the certificate on a line, a line with "=" repeated to make a nice separator, and then the entire certificate including the BEGIN and END lines.
Restart your application.
This is not a long-term solution but will get you back running quickly. Long term – upgrade to the new gem.
Here is what we ended up doing on my team.
We added the 2 certs that Michael mentioned in
Then in paypal.yml
We left the Gem as is. Initially we tore through the gem looking for answers but ultimately we left the gem as is and added the crt and updated yaml as show above.
Its possible to fix this by using the server’s own CA file.
Try setting
ssl_options: { ca_file: nil }.This causes the
paypal.crtCA file bundled with the paypal-sdk gem to be ignored.For apps using PayPal::SDK.configure(…)
For apps using a YAML config file
In
config/paypal.ymlor wherever your config file is located:If you don’t use
PayPal::SDK.configure. In paypal.yml addAs PayPal has changed TLS, so the easiest way (fastest) was to resolve as monkey patch. This patch says to use all default settings
A similar but slightly less invasive solution than @kritik
This still allows you to change other SSL settings in initializers and only removes the default CA file.
You want to create a file in
config/initializersand put the above code in it.