We’ve just started receiving the following error when trying to process PayPal payments on our production system.
Our system hasn’t been recently updated so the issue is not our code base.
The error is reporting as:
”’
An OpenSSL::SSL::SSLError occurred in memberships#pay_renewal:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
”’
I’m at a loss to know where to begin with this.
The application is running Ruby on Rails v6.0.2, using paypal-sdk-rest gem (v 1.7.4), and running on an Amazon EC2 Redhat instance.
I suspect its to do with new certificates needed to be installed somewhere on our server.
2
Answers
Your suspicions are correct, make sure you are trusting the DigiCert roots (High Assurance EV and Global G2) as the cutoff was made recently for api.paypal.com — many notifications were sent about this
Some details here: https://www.paypal.com/us/smarthelp/article/migration-to-digicert-root-certificates-ts2240
For those who are looking for an immediate solution, here is a bit more technical details on top of the information @preston-phx and @houdi provided:
As mentioned on Paypal’s article: https://www.paypal.com/us/smarthelp/article/migration-to-digicert-root-certificates-ts2240
Download the "DigiCert High Assurance EV Root CA" and "DigiCert Global Root G2" certificates from Digicert here:
https://www.digicert.com/kb/digicert-root-certificates.htm
Also, download certificates for all Paypal APIs you are making calls to from:
https://www.paypal.com/us/smarthelp/article/ts1510
(In my case, I only use api.paypal.com so I downloaded api.paypal.com.pem and api.sandbox.paypal.com.pem)
These will give you a set of pem files like:
Merge all your files to a single paypal.crt file, which will look like:
Put the file somewhere in your project. I put it under
data/paypal.crt
similar to where the PayPal-Ruby-SDK stores it.Now you can monkey patch the SDK to use your paypal.crt file instead of the ouut-dated one provided in the SDK by adding the following snippet somewhere before where you initialize your PayPal SDK:
I’m using Rails so I added that directly to the top of my config/initializers/paypal.rb file.
(I’m not providing any direct links to the certificates or the certificates themselves here because you should never trust any certificate provided by a third-party. Download all certificates directly from PayPal and Digicert sites)