Paypal Access - Ssl Certificate: Unable to Get Local Issuer Certificate

Paypal Checkout error: SSL certificate problem: unable to get local issuer certificate

It was an error with curl_setopt( $handle, CURLOPT_CAINFO, null). It was not sertificated... in official sdk, i downloaded cacert.pem file and switched its path with null and now is working when CURLOPT_SSL_VERIFYPEER is set to true.

SSL certificate issue unable to get local issuer certificate

I got support from my API providers who pointed something missing in my approach. For their gateway I needed to load the private key, public key and password that protects these keys in curl request. The solution is as follows:

/*ssl crts*/
$twpg_cert_file = "/etc/apache2/ssl/m4/mydomain.com.crt";
$twpg_key_file = "/etc/apache2/ssl/m4/mydomain.com.key";
$twpg_key_password = '';
/*ssl crts*/
$ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $requestUrl);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_TIMEOUT, 60000);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $xml_data);//My post data
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
        curl_setopt($ch, CURLOPT_SSLCERT,  $twpg_cert_file);
        curl_setopt($ch, CURLOPT_SSLKEY, $twpg_key_file);
        curl_setopt($ch, CURLOPT_SSLKEYPASSWD, $twpg_key_password);
        curl_setopt($ch, CURLOPT_CERTINFO, 1);
        $headers = [];
        array_push($headers, 'Content-Type: text/xml;charset=UTF-8');
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        $content = trim(curl_exec($ch));
        curl_close($ch);

Now every thing works as expected.

Unable to verify certificate(s) found at https://api.paypal.com

Work-around can be found here:

https://serverfault.com/questions/961681/revoked-ssl-certificate

Paypal's official .NET SDK latest version seems to reference a revoked certificate somewhere. Not good.

PayPal SSL error / issue

Read about the POODLE Vunlerability and follow the info in that guide to fix it.

PayPal just officially flipped the switch on 1/19/16, so that's why your stuff worked before and doesn't now.

My PayPal script suddenly stopped verifying the SSL certificate

Last year, PCI-DSS 3.1 came out and there was a major change for all people processing credit cards. Specifically, there was a mandate that all processing had to be done on TLS 1.1 or later only. The original sunset date was June 30, 2016, but that was postponed to June 30, 2018

The Payment Card Industry Security Standards Council (PCI SSC) is extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher).

Now, while this reprieve gives you, the programmer, some room to breathe in regards to your front end, it still means that moving to TLS 1.1+ is not optional (in fact I would mover sooner if I were you) and that some intermediate card processing will start moving sooner than that. PayPal, as it turns out, is one of those moving in regards to its websites

TLS 1.2 Upgrade

The most secure protocol for sharing information on the web today is Transport Layer Security (TLS) version 1.2. PayPal is enabling support for TLS 1.2 for all secure connections and in 2016 will start requiring its use. You will need to verify that your environment supports TLS 1.2 and if necessary make appropriate updates. PayPal is updating its services to require TLS v1.2 for all HTTPS connections on June 17, 2016. After that date, all TLS v1.0 and TLS v1.1 API connections will be refused.

Now, in theory, your old script (provided you're not storing PayPal's public key) should operate just fine but Sandbox (which has already moved to this) communications are already starting to fail. What I've found is that, for a variety of reasons, some communication layers (notably CURL in PHP, a very common way to talk to PayPal) cannot negotiate properly with PayPal anymore. Thus, you get the cryptic error

SSL connect error

Thanks CURL. That was helpful... (not)

So how do we work around this? Well, if we tell CURL to only use TLS 1.2 your calls to PayPal should start working again without issues. If you're using PHP and CURL you can do it by adding this like (where $ch is your CURL handler)

curl_setopt($ch, CURLOPT_SSLVERSION, 6); // Force TLS 1.2

This change is perfectly safe to use with both Sandbox and Live calls to PayPal.

---

Related Topics