OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

Question

There are a ton of posts about this. I have looked at so many of them. Zero of the fixes seem to work.

(main)> PayPal::SDK::Subscriptions::Plan.all Request[post]: https://api.sandbox.paypal.com/v1/oauth2/token Request.body=grant_type=client_credentials  request.header={"User-Agent"=>"PayPalSDK/PayPal-Subscriptions-Ruby-SDK 0.3.1 (paypal-sdk-core 1.7.4; ruby 2.6.6p146-x86_64-linux;OpenSSL 1.1.1d  10 Sep 2019)", "Content-Type"=>"application/x-www-form-urlencoded", "Authorization"=>"Basic xxx"} OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) from /usr/local/lib/ruby/2.6.0/net/protocol.rb:44:in `connect_nonblock' 

I have tried rvm 2.6.6, 2.7.0, and Debian Buster system ruby.

I followed all of these: https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#troubleshooting-certificate-errors

I ran the automated SSL check and everything is roses: https://bundler.io/v2.0/guides/rubygems_tls_ssl_troubleshooting_guide.html#automated-ssl-check

root@19ab47f15632:/usr/src/app# curl -Lks 'https://git.io/rg-ssl' | ruby Here's your Ruby and OpenSSL environment:  Ruby:           2.6.6p146 (2020-03-31 revision 67876) [x86_64-linux] RubyGems:       3.0.3 Bundler:        2.1.2 Compiled with:  OpenSSL 1.1.1d  10 Sep 2019 Loaded version: OpenSSL 1.1.1d  10 Sep 2019 SSL_CERT_FILE:  /usr/lib/ssl/cert.pem SSL_CERT_DIR:   /usr/lib/ssl/certs  With that out of the way, let's see if you can connect to rubygems.org...  Bundler connection to rubygems.org:       success ✅ RubyGems connection to rubygems.org:      success ✅ Ruby net/http connection to rubygems.org: success ✅  Hooray! This Ruby can connect to rubygems.org. You are all set to use Bundler and RubyGems. 👌 

I tried gem update --system, bundler is updated.

I tried curling the new CA to the location of ruby's default SSL file:

curl -fsSL curl.haxx.se/ca/cacert.pem -o "$(ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE')" 

I checked that my system's time was accurate (it's accurate to UTC).

I have no earthly idea what to do from here. The PayPal SDK subscription gem is using net/http under the covers because it relies on the core PayPal SDK gem. I tried increasing the loglevel to DEBUG but it prints out no additional details as it appears to fail in the same exact place, and I can't figure out where that failure actually is.

I'm at a loss. Short of disabling SSL verification, I don't know what to do. Is there some way to get more traceback / more error here to troubleshoot further? Using net/http directly against the PayPal API works fine (no SSL error). So it's something that happens after the initial request

Answer 1

Its possible to fix this by using the server's own CA file.

Try setting ssl_options: { ca_file: nil }.

This causes the paypal.crt CA file bundled with the paypal-sdk gem to be ignored.

For apps using PayPal::SDK.configure(...)

PayPal::SDK.configure(   mode: ...,   client_id: ...,   client_secret: ...,    # Deliberately set ca_file to nil so the system's Cert Authority is used,   # instead of the bundled paypal.crt file which is out-of-date due to:   # https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240   ssl_options: { ca_file: nil } ) 

For apps using a YAML config file

In config/paypal.yml or wherever your config file is located:

ssl_options:   ca_file: null 

Answer 2

I'm leaving this here, but the answer by RidingRails is what I consider "correct". It is the proper solution to dealing with this longer-term, although the real solution is to move to PayPal's newer gem.

My answer below is to help you quickly get PayPal working again without having to push out an update to your code.

---

This is really ugly, as PayPal packages the certs with their gem. To get up and running, you need to find the gem in your bundle and specifically find the file "paypal.crt". At the end, you need to add the two certificates that are missing. I am not going to copy/paste them here, but they are easily found. Actually, they were already on my Ubuntu system in /etc/ssl/certs:

DigiCert_Global_Root_G2.pem

DigiCert_High_Assurance_EV_Root_CA.pem

PayPal provides links here:

https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240

Steps to fix:

1. Find the paypal.crt file in the version of the gem that you are using. Here's what that looked like for me:

   cd app/production/shared/bundle

   find . -name paypal.crt

   At this point, I had a file in version 1.7.3 and 1.7.4 of the gem. I'm using the 1.7.4 version, so I edited that file.

2. Add those two certificates to the bottom. You should put the name of the certificate on a line, a line with "=" repeated to make a nice separator, and then the entire certificate including the BEGIN and END lines.

3. Restart your application.

This is not a long-term solution but will get you back running quickly. Long term - upgrade to the new gem.