Paypal API Question posted in
The official documentation to get you started can be found here.

PayPal API SSL Issue – just started

We’ve just started receiving the following error when trying to process PayPal payments on our production system.
Our system hasn’t been recently updated so the issue is not our code base.

The error is reporting as:
”’
An OpenSSL::SSL::SSLError occurred in memberships#pay_renewal:

SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
”’

I’m at a loss to know where to begin with this.

The application is running Ruby on Rails v6.0.2, using paypal-sdk-rest gem (v 1.7.4), and running on an Amazon EC2 Redhat instance.

I suspect its to do with new certificates needed to be installed somewhere on our server.

Tags:

2

Answers


  1. 0

    Your suspicions are correct, make sure you are trusting the DigiCert roots (High Assurance EV and Global G2) as the cutoff was made recently for api.paypal.com — many notifications were sent about this

    Some details here: https://www.paypal.com/us/smarthelp/article/migration-to-digicert-root-certificates-ts2240

    Login or Signup to reply.
  2. 0

    For those who are looking for an immediate solution, here is a bit more technical details on top of the information @preston-phx and @houdi provided:

    As mentioned on Paypal’s article: https://www.paypal.com/us/smarthelp/article/migration-to-digicert-root-certificates-ts2240

    Download the "DigiCert High Assurance EV Root CA" and "DigiCert Global Root G2" certificates from Digicert here:

    https://www.digicert.com/kb/digicert-root-certificates.htm

    Also, download certificates for all Paypal APIs you are making calls to from:

    https://www.paypal.com/us/smarthelp/article/ts1510

    (In my case, I only use api.paypal.com so I downloaded api.paypal.com.pem and api.sandbox.paypal.com.pem)

    These will give you a set of pem files like:

    DigiCertGlobalRootG2.crt.pem
DigiCertHighAssuranceEVRootCA.crt.pem
api.paypal.com.pem
api.sandbox.paypal.com.pem

    Merge all your files to a single paypal.crt file, which will look like:

    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
...

    Put the file somewhere in your project. I put it under data/paypal.crt similar to where the PayPal-Ruby-SDK stores it.

    Now you can monkey patch the SDK to use your paypal.crt file instead of the ouut-dated one provided in the SDK by adding the following snippet somewhere before where you initialize your PayPal SDK:

    # Monkey patch the paypal certificate file
PayPal::SDK::Core::Util::HTTPHelper.class_eval do
  def default_ca_file
    File.expand_path("../../data/paypal.crt", __dir__)
  end 
end

    I’m using Rails so I added that directly to the top of my config/initializers/paypal.rb file.

    (I’m not providing any direct links to the certificates or the certificates themselves here because you should never trust any certificate provided by a third-party. Download all certificates directly from PayPal and Digicert sites)

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search