Stripe AuthenticationError in Production is blocking us activating the new donations page

[equivalentideas]

Stripe::AuthenticationError: Stripe no longer supports API requests made with TLS 1.0. Please initiate HTTPS connections with TLS 1.2 or later. You can learn more about this at https://stripe.com/blog/upgrading-tls.

When you activate the new donation page and try and sign up for a donation, Stripe raises the error above.

Here's Stripe explanation of the phasing out TSL 1.1 https://stripe.com/blog/upgrading-tls

They have some instructions for identifying the issue here https://support.stripe.com/questions/how-do-i-upgrade-my-stripe-integration-from-tls-1-0-to-tls-1-2#ruby

They say the solution is to upgrade your OpenSSL version (and potentially libssl as well) following these instructions https://support.stripe.com/questions/how-do-i-upgrade-my-openssl-to-support-tls-1-2

Kedumba, our server running PlanningAlerts, also runs a bunch of our other applications.

Upgrading this and managing the side-effects on our other projects is a bit beyond my experience, so I'm going to assign this to @henare to lead the charge on this. Feel free to delegate bits back to me 👍

[henare]

I've ensured that our OpenSSL is up-to-date but I suspect that when we compiled Ruby it was that long ago that it was compiled against an OpenSSL without TLS 1.2 support so it's not working.

Since we're already planning on upgrading Ruby (#1093), which will necessarily mean compiling it, I might do that first and see if it also fixes this.

[henare]

I've done the Ruby upgrade and sure enough it's working now:

deploy@kedumba:/srv/www/www.planningalerts.org.au/app/current$ cd /srv/www/www.planningalerts.org.au/app/current && RAILS_ENV=production /home/deploy/.rvm/wrappers/ruby-2.3.1/bundle exec rails console                                                                                                                                        
Loading production environment (Rails 4.2.7.1)                                                                                                                          
2.3.1 :001 > require "stripe"                                                                                                                                           
 => false                                                                                                                                                               
2.3.1 :002 > Stripe.api_key = "sk_test_BQokikJOvBiI2HlWgH4olfQ2"                                                                                                        
 => "sk_test_BQokikJOvBiI2HlWgH4olfQ2"                                                                                                                                  
2.3.1 :003 > Stripe.api_base = "https://api-tls12.stripe.com"                                                                                                           
 => "https://api-tls12.stripe.com"                                                                                                                                      
2.3.1 :004 > begin                                                                                                                                                      
2.3.1 :005 >       Stripe::Charge.all()                                                                                                                                 
2.3.1 :006?>     puts "TLS 1.2 supported, no action required."                                                                                                          
2.3.1 :007?>   rescue OpenSSL::SSL::SSLError, Stripe::APIConnectionError                                                                                                
2.3.1 :008?>     puts "TLS 1.2 is not supported. You will need to upgrade your integration."                                                                            
2.3.1 :009?>   end                                                                                                                                                      
TLS 1.2 supported, no action required.                                                                                                                                  
 => nil                                                                                                                                                                 
2.3.1 :010 >                                                                                                                                                            
deploy@kedumba:/srv/www/www.planningalerts.org.au/app/current$ 

I've tested donations on staging too and it's not affected by this error any more.

[equivalentideas]

Thanks @henare ! Big win with the Ruby upgrade too ✨