Override paypal-sdk-core ca_file setting #8
Conversation
This skips the Net::HTTP `ca_file` option so it doesn't specify that gem's `data/paypal.crt` file which is 8 years old and it's not longer valid to verify the PayPal server's SSL cert. This is likely due to https://nakedsecurity.sophos.com/2020/07/13/digicert-revokes-a-raft-of-web-security-certificates/.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💪
Nice work! 😄 Do we need to check the CA certs a bit here? I'm just wondering if there's any potential difference between our Ubuntu 18 servers and Ubuntu 16 servers...? I guess they should both be up to date... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice hack!
We could include a specific cert that we know it works instead?
Ubuntu has a package for it so it's up to the distro to keep it up to date in every version. That's what package auto-update is for as well, right? no idea how we have it configured. In any case, it's working in staging. However, being such an important part of the internet we would have encountered other problems before, I guess.
I would rather not (I haven't checked that though). It feels like reinventing the wheel as this gem did. I think it's far better to rely on Ubuntu's updates when these cert invalidations happen. I just trust people that know what they do |
ok Pau. I am not sure you are aware but we used Katuma live to test the release, maybe we can do the same for this. Publish the release and then deploy only to Katuma to test paypal. I have my personal account setup there. I spent 0.50cents in fees to make a real 2eur payment 😭 |
Yes, I would do exactly the same. We started the discussion around a patch release in Slack. |
Re the CA certs point @Matt-Yorkley raised, we might need to add a task in ofn-install to update the |
This skips the Net::HTTP
ca_file
option so it doesn't specify that gem'sdata/paypal.crt
file which is 8 years old and it's not longer valid to verify the PayPal server's SSL cert. This is likely due to https://nakedsecurity.sophos.com/2020/07/13/digicert-revokes-a-raft-of-web-security-certificates/.