skip to Main Content

I am implementing PayPal’s subscriptions API into a project of mine, however, I am getting the following curl error:

array:2 [▼
  "error" => "error_in_reading_cert"
  "error_description" => "Unable to read x509 certificate"
]

note that I am using Laravel. Here is my curl class:

<?php

namespace AppLogicCurl;

class Curl {

    /**
     * Perform new POST request and return decoded JSON response
     *
     * @param $url
     * @param $data
     * @return array
     */
    public function newRequest($url, $data)
    {
        $connection = curl_init($url);

        $clientId = env('services.paypal.client-id');
        $secret = env('services.paypal.secret');

        curl_setopt($connection, CURLOPT_HTTPHEADER, [
                "Content-Type: application/json",
                "Authorization: Basic $clientId:$secret",
            ]
        );

        $options = array(
            CURLOPT_RETURNTRANSFER => true,   // return web page
            CURLOPT_HEADER         => false,  // don't return headers
            CURLOPT_FOLLOWLOCATION => true,   // follow redirects
            CURLOPT_MAXREDIRS      => 10,     // stop after 10 redirects
            CURLOPT_ENCODING       => "",     // handle compressed
            CURLOPT_USERAGENT      => "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36", // name of client
            CURLOPT_AUTOREFERER    => true,   // set referrer on redirect
            CURLOPT_CONNECTTIMEOUT => 120,    // time-out on connect
            CURLOPT_TIMEOUT        => 120,    // time-out on response
        );

        curl_setopt_array($connection, $options);

        curl_setopt($connection, CURLOPT_POSTFIELDS, $data);

        $response = curl_exec($connection);

        if(curl_error($connection)) {
            return curl_error($connection);
        }

        curl_close($connection);

        return $this->decodeResponse($response);
    }

    /**
     * JSON decode the response
     *
     * @param $response
     * @return mixed
     */
    public function decodeResponse($response)
    {
        return json_decode($response, true);
    }

}

here is my PayPal class:

<?php

namespace AppLogicPaypal;

use AppLogicCurlCurl;
use Exception;

class Paypal {

    public function createProduct()
    {
        $productDetails = [
            "name" => "Feedback Form",
            "description" => "Feedback form as a service.",
            "type" => "SERVICE",
            "category" => "SOFTWARE",
            "home_url" => "https://www.feedback.com/"
        ];

        $url = $this->getApiUrl('createProduct');

        $curl = new Curl();

        return $curl->newRequest($url, $productDetails);
    }

    public function getApiUrl($endpointName) {
        $mode = config('services.paypal.mode');

        $urls = [
            'createProduct' => [
                'live' => 'https://api.paypal.com/v1/catalogs/products',
                'sandbox' => 'https://api.sandbox.paypal.com/v1/catalogs/products'
            ]
        ];

        return $urls[$endpointName][$mode];
    }
}

here is my PayPal controller which receives the requests:

<?php

namespace AppHttpControllers;

use AppLogicPaypalPaypal;
use AppSetting;

class PaypalController extends Controller
{
    public function bootstrap()
    {
        $setting = Setting::where('name', '=', 'active_plan_id')->first();

        if ($setting) {
            return 'plan already activated';
        }

        $paypal = new Paypal();
        $product = $paypal->createProduct();

        dd($product);
    }
}

The above code just tries to create a product as per PayPal’s subscriptions documentation.

While searching for a solution online, I came across various questions on StackOverflow – the most promising of which was this. First I tried the most voted solution but it didn’t work for me, though it’s kind of weird. I followed it and went into my /etc/php/7.2/apache2/php.ini and uncommented curl.cainfo and filled it with the absolute path to the downloaded certificate and restarted apache and that didn’t help. Then, I created a php info file and looked at the options and there I couldn’t find curl.cainfo even though the loaded configuration file is exactly the one I edited – according to this curl.cainfo won’t be shown in phpinfo as of PHP7.2 which sets straight that problem.

From the same StackOverflow question, I also tried:

sudo apt-get install ca-certificates

and:

sudo update-ca-certificates

but it didn’t help.

Any help much appreciated.

EDIT 1: Just noticed in PayPal’s documentation here curl is called with option -k which allows even insecure connections, I wonder why is that, does PayPal use self-signed certificates on its sandbox APIs?

EDIT 2: I tried downloading a certificate from here and pointing curl.cainfo to it but it didn’t work as well.

EDIT 3: I tried disabling peer certificate verification by adding the following line $options[CURLOPT_SSL_VERIFYPEER] = false; but I still get the same error

EDIT 4: I, also, tried adding curl_setopt($connection, CURLOPT_CAINFO, '/path/to/cacert.pem'); but it didn’t help

EDIT 5: I, also, tried running the same request from the command line but I get the same error, here is the output:

Note: Unnecessary use of -X or --request, POST is already inferred.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0*   Trying 173.0.82.78...
* TCP_NODELAY set

  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0* Connected to api.sandbox.paypal.com (173.0.82.78) port 443 (#0)

  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ca-certificates
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]

  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4162 bytes data]
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ [944 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} [7 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal Production; CN=api.sandbox.paypal.com
*  start date: Aug 21 00:00:00 2018 GMT
*  expire date: Aug 20 12:00:00 2020 GMT
*  subjectAltName: host "api.sandbox.paypal.com" matched cert's "api.sandbox.paypal.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global CA G2
*  SSL certificate verify ok.

  0     0    0     0    0     0      0      0 --:--:--  0:00:05 --:--:--     0} [5 bytes data]
> POST /v1/catalogs/products HTTP/1.1
> Host: api.sandbox.paypal.com
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Type: application/json
> Authorization: Basic client-id:secret
> Content-Length: 205
> 
} [205 bytes data]
* upload completely sent off: 205 out of 205 bytes
{ [5 bytes data]
< HTTP/1.1 401 Unauthorized
< Cache-Control: max-age=0, no-cache, no-store, must-revalidate
< Content-Length: 87
< Content-Type: application/json
< Date: Wed, 25 Mar 2020 09:45:30 GMT
< Paypal-Debug-Id: f3411e0e1c2ab
< 
{ [87 bytes data]

100   292  100    87  100   205     12     30  0:00:07  0:00:06  0:00:01    55
100   292  100    87  100   205     12     30  0:00:07  0:00:06  0:00:01    68
* Connection #0 to host api.sandbox.paypal.com left intact
{"error":"error_in_reading_cert","error_description":"Unable to read x509 certificate"}

EDIT 6: Here is the full curl command I tried and the output:

curl -v -k POST https://api.sandbox.paypal.com/v1/catalogs/products -H "Content-Type: application/json" -H "Authorization: Basic AW09uZVO_1NUVZXEzlYp1xgiVjweOwnIBl0rMltEK7X1zMhe9fxcPPr_IgwGplL0xSPHQo4lO3cdP27p:EB351ARk-HkEd5OmkV7NGXrUT5V2AU_zN8ZRJ55cWowGUKr845Do0MM5zrqfpCxJECqL59rwcXueQUW2" -d '{"name": "Video Streaming Service","description": "Video streaming service","type": "SERVICE","category": "SOFTWARE","image_url": "https://example.com/streaming.jpg","home_url": "https://example.com/home"}' --cacert /opt/ssl/curl.pem 2>&1 | tee curl.txt

output:

* Rebuilt URL to: POST/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:05 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:06 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:07 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:08 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:09 --:--:--     0* Could not resolve host: POST
* Closing connection 0
curl: (6) Could not resolve host: POST

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0*   Trying 173.0.82.78...
* TCP_NODELAY set

  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0* Connected to api.sandbox.paypal.com (173.0.82.78) port 443 (#1)

  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /opt/ssl/curl.pem
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4162 bytes data]
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ [944 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} [7 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal Production; CN=api.sandbox.paypal.com
*  start date: Aug 21 00:00:00 2018 GMT
*  expire date: Aug 20 12:00:00 2020 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global CA G2
*  SSL certificate verify ok.

  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0} [5 bytes data]
> POST /v1/catalogs/products HTTP/1.1
> Host: api.sandbox.paypal.com
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Type: application/json
> Authorization: Basic AW09uZVO_1NUVZXEzlYp1xgiVjweOwnIBl0rMltEK7X1zMhe9fxcPPr_IgwGplL0xSPHQo4lO3cdP27p:EB351ARk-HkEd5OmkV7NGXrUT5V2AU_zN8ZRJ55cWowGUKr845Do0MM5zrqfpCxJECqL59rwcXueQUW2
> Content-Length: 205
> 
} [205 bytes data]
* upload completely sent off: 205 out of 205 bytes
{ [5 bytes data]
< HTTP/1.1 401 Unauthorized
< Cache-Control: max-age=0, no-cache, no-store, must-revalidate
< Content-Length: 87
< Content-Type: application/json
< Date: Wed, 25 Mar 2020 15:54:35 GMT
< Paypal-Debug-Id: ae0a3de96fdf5
< 
{ [87 bytes data]

100   292  100    87  100   205     16     39  0:00:05  0:00:05 --:--:--    79
* Connection #1 to host api.sandbox.paypal.com left intact
{"error":"error_in_reading_cert","error_description":"Unable to read x509 certificate"}

EDIT 7: I run the same curl command but with different credentials from a different business account, here is the command and the output:

curl -v -k POST https://api.sandbox.paypal.com/v1/catalogs/products -H "Content-Type: application/json" -H "Authorization: Basic AVx9AFnHHdAvjsRA_t5AXJEdu_XIqC4RgxOvJ_a49r3QZj9eNlSy1gRGRmLIBS52wh1LWi27adQgvwSc:EPCcwShbEMG4O9uoPvoMtbwFc02RT2vo8FayHqU3StskKR3bxx7sxXACEG7Sf-Mwx_taRFhRfp0s79Ox" -d '{"name": "Video Streaming Service","description": "Video streaming service","type": "SERVICE","category": "SOFTWARE","image_url": "https://example.com/streaming.jpg","home_url": "https://example.com/home"}' --cacert /opt/ssl/curl.pem 2>&1 | tee curl.txt

output:

* Rebuilt URL to: POST/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:05 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:06 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:07 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:08 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:09 --:--:--     0* Could not resolve host: POST
* Closing connection 0
curl: (6) Could not resolve host: POST

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0*   Trying 173.0.82.78...
* TCP_NODELAY set

  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0* Connected to api.sandbox.paypal.com (173.0.82.78) port 443 (#1)

  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /opt/ssl/curl.pem
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4162 bytes data]
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ [944 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} [7 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal Production; CN=api.sandbox.paypal.com
*  start date: Aug 21 00:00:00 2018 GMT
*  expire date: Aug 20 12:00:00 2020 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global CA G2
*  SSL certificate verify ok.

  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0} [5 bytes data]
> POST /v1/catalogs/products HTTP/1.1
> Host: api.sandbox.paypal.com
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Type: application/json
> Authorization: Basic AW09uZVO_1NUVZXEzlYp1xgiVjweOwnIBl0rMltEK7X1zMhe9fxcPPr_IgwGplL0xSPHQo4lO3cdP27p:EB351ARk-HkEd5OmkV7NGXrUT5V2AU_zN8ZRJ55cWowGUKr845Do0MM5zrqfpCxJECqL59rwcXueQUW2
> Content-Length: 205
> 
} [205 bytes data]
* upload completely sent off: 205 out of 205 bytes
{ [5 bytes data]
< HTTP/1.1 401 Unauthorized
< Cache-Control: max-age=0, no-cache, no-store, must-revalidate
< Content-Length: 87
< Content-Type: application/json
< Date: Wed, 25 Mar 2020 15:54:35 GMT
< Paypal-Debug-Id: ae0a3de96fdf5
< 
{ [87 bytes data]

100   292  100    87  100   205     16     39  0:00:05  0:00:05 --:--:--    79
* Connection #1 to host api.sandbox.paypal.com left intact
{"error":"error_in_reading_cert","error_description":"Unable to read x509 certificate"}

5

Answers


  1. Chosen as BEST ANSWER

    The problem was to do with using a wrong authorization header like so:

    Authorization: Basic <client-id>:<secret>
    

    even though this is in the documentation for some reason it doesn't work, instead use this:

    Authorization: Bearer <access-token>
    

    Thanks go to Preston PHX for helping me figure it out.


  2. You can download an updated Certificate Authorities bundle from https://curl.haxx.se/docs/caextract.html

    Among other possible config places, that .pem file can be passed by adding this to your curl options:

    curl_setopt($connection, CURLOPT_CAINFO, '/path/to/cacert.pem');
    

    Or since you have an array of options:

    CURLOPT_CAINFO => '/path/to/cacert.pem',
    

    PayPal does not used self-signed certificates in sandbox, but since some environments aren’t configured with the proper certificate authorities, curl -k (insecure / no verify peer) is used in command line examples since there is no need to verify peer certificates during development.

    Login or Signup to reply.
  3. Use base64 on client:secret.

    If You have:

    clientId: "clientId"
    secret: "mySecret"
    

    Than do base64(“clientId:mySecret”)

    So proper header is

    Authorization: Basic Y2xpZW50SWQ6bXlTZWNyZXQ=
    
    Login or Signup to reply.
  4. Yes, clientid and secret have to be base64 encoded.

    Trick: curl does this for you when using the "-u" flag. So instead of curl ... -H "Authorization: Basic ${base64_encoded_creds}" you can do curl ... -u "clientid:secret".

    Login or Signup to reply.
  5. In my case, I was using Axios, I was passing the authorization in the headers like how the documentation says. but that doesn’t work,
    what worked for me is:

    const PAYPAL_API = 'https://api-m.sandbox.paypal.com';
    
    const order = {
      purchase_units: [
        {
          amount: {
            currency_code: 'USD',
            value: '100.00',
          },
        },
      ],
      intent: 'AUTHORIZE',
    };
    
    const config = {
      headers: {
        'Content-Type': 'application/json',
      },
      auth: { username: <Your_CLIENT_ID>, password: <Your_SECRET_ID> },
    };
    
    await axios
      .post(`${this.PAYPAL_API}/v2/checkout/orders`, order, config)
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search