OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

Question

There are a ton of posts about this. I have looked at so many of them. Zero of the fixes seem to work.

(main)> PayPal:         


        

Answer 1

As PayPal has changed TLS, so the easiest way (fastest) was to resolve as monkey patch. This patch says to use all default settings

module PayPal::SDK::Core
  module Util
    module HTTPHelper
      def configure_ssl(http)
        http.tap do |https|
          https.use_ssl = true
          https.verify_mode = OpenSSL::SSL::VERIFY_PEER
          add_certificate(https)
        end
      end
    end
  end
end

Answer 2

Its possible to fix this by using the server's own CA file.

Try setting ssl_options: { ca_file: nil }.

This causes the paypal.crt CA file bundled with the paypal-sdk gem to be ignored.

For apps using PayPal::SDK.configure(...)

PayPal::SDK.configure(
  mode: ...,
  client_id: ...,
  client_secret: ...,

  # Deliberately set ca_file to nil so the system's Cert Authority is used,
  # instead of the bundled paypal.crt file which is out-of-date due to:
  # https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240
  ssl_options: { ca_file: nil }
)

For apps using a YAML config file

In config/paypal.yml or wherever your config file is located:

ssl_options:
  ca_file: null

Answer 3

If you don't use PayPal::SDK.configure. In paypal.yml add

  ssl_options:
    ca_file: null

Answer 4

I'm leaving this here, but the answer by RidingRails is what I consider "correct". It is the proper solution to dealing with this longer-term, although the real solution is to move to PayPal's newer gem.

My answer below is to help you quickly get PayPal working again without having to push out an update to your code.

---

This is really ugly, as PayPal packages the certs with their gem. To get up and running, you need to find the gem in your bundle and specifically find the file "paypal.crt". At the end, you need to add the two certificates that are missing. I am not going to copy/paste them here, but they are easily found. Actually, they were already on my Ubuntu system in /etc/ssl/certs:

DigiCert_Global_Root_G2.pem

DigiCert_High_Assurance_EV_Root_CA.pem

PayPal provides links here:

https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240

Steps to fix:

1. Find the paypal.crt file in the version of the gem that you are using. Here's what that looked like for me:

   cd app/production/shared/bundle

   find . -name paypal.crt

   At this point, I had a file in version 1.7.3 and 1.7.4 of the gem. I'm using the 1.7.4 version, so I edited that file.

2. Add those two certificates to the bottom. You should put the name of the certificate on a line, a line with "=" repeated to make a nice separator, and then the entire certificate including the BEGIN and END lines.

3. Restart your application.

This is not a long-term solution but will get you back running quickly. Long term - upgrade to the new gem.

Answer 5

Here is what we ended up doing on my team.

We added the 2 certs that Michael mentioned in

config/api.paypal.com.crt

Then in paypal.yml

 ssl_options:
    ca_file: config/api.paypal.com.crt

We left the Gem as is. Initially we tore through the gem looking for answers but ultimately we left the gem as is and added the crt and updated yaml as show above.