Getting OpenSSL::SSL::SSLError on staging machine with existing SSL protection #43

Closed
biot023 opened this Issue Feb 15, 2012 · 10 comments

Projects

None yet

6 participants

@biot023

Hi -- we have submitting a payment working on a development machine (well, taking us to the sandbox to login, which is as far as we've tested). This development machine is running with HTTPS.
However, when we try to run the same code on a staging server that has a valid SSL certificate in place, and so uses HTTPS for the actions to do with paying for orders, we get the following error:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
/usr/lib/ruby/1.8/net/http.rb:586:in connect'
/usr/lib/ruby/1.8/net/http.rb:586:in
connect'
/usr/lib/ruby/1.8/net/http.rb:553:in do_start'
/usr/lib/ruby/1.8/net/http.rb:542:in
start'
/usr/lib/ruby/1.8/net/http.rb:1035:in request'
/usr/lib/ruby/1.8/net/http.rb:845:in
post'
/var/lib/gems/1.8/gems/paypal_adaptive-0.2.7/lib/paypal_adaptive/request.rb:88:in post'
/var/lib/gems/1.8/gems/paypal_adaptive-0.2.7/lib/paypal_adaptive/request.rb:75:in
wrap_post'
/var/lib/gems/1.8/gems/paypal_adaptive-0.2.7/lib/paypal_adaptive/request.rb:29:in pay'
/app/controllers/orders_controller.rb:63:in
pay'

Could you possibly advise us as to where we should look, next?
We have the correct values filled in in our paypal_adaptive.yml config file, and have downloaded the key from paypal.
My guess is that the SSL certificates are clashing, or that maybe I need to register our certificate with paypal somewhere?
Sorry to bug you with this, by the way, we've been hacking it together all day (getting it to work with a Rails 2.1 app), and could really use a little guidance, if possible.
Thanks,
Doug.

@biot023

Hi -- just to keep this up-to-date, I'm not getting this error when I run locally with SSL enabled.
So I guess it's a server issue? Perhaps I need to know a little more about how the server handles SSL certificates.
I'm going to investigate an approach like this, for now: http://martinottenwaelter.fr/2010/12/ruby19-and-the-ssl-error/

@eddroid

I didn't get this error on my local Mac, but I got it in Amazon EC2. Those platforms treat SSL certificate authorities differently. The ca_file config is not exposed by paypal_adaptive.yml. I submitted a pull request to treat the ssl_cert_file as the ca_file. Combine that with the existing support for ca_path (as ssl_cert_path) and you should have all the tools you need to solve the issue as described in the blog link you provided.

https://github.com/PrisaDigital/paypal_adaptive

@tc
Owner
tc commented Dec 17, 2012

ssl_cert_path option in the yml config file has been merged in.

@tc tc closed this Dec 17, 2012
@rstacruz

If anyone else is encountering this OpenSSL::SSL::SSLError issue, be sure to upgrade rubygems to 1.8.24 or later, and be sure you're using ruby 1.9.3-p194 or later.

http://railsapps.github.com/openssl-certificate-verify-failed.html

@mikong

@biot023, have you resolved this issue? I encountered the same problem. In my mac, there's no certificate verify failed. But in my staging server, there is. I'm in sandbox mode for paypal adaptive in both environments. In my staging I made a simple OpenSSL test in the Rails console, and I can verify certificates when I try to connect to Google and other sites, but not in www.sandbox.paypal.com. BUT, I can verify www.paypal.com fine. I'm thinking of patching this gem to set verify mode to VERIFY_NONE only if in sandbox mode. Here's my simple test:

require 'net/https'

https = Net::HTTP.new('www.sandbox.paypal.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_path = '/etc/ssl/certs' if File.exists?('/etc/ssl/certs') # Ubuntu
https.request_get('/')

So if you change the URL there to the main paypal site, there's no certificate verify failed for me even in staging server. Only the sandbox URL has a problem.

@biot023
@mikong

I see. No problem. Thanks!

@rstacruz

Summary so far: the issue here seems to be that Paypal's Developer Sandbox mode doesn't have a valid certificate, so the gem's requests fail.

@biot023, would you be interested on a patch to have a configurable option to use https.verify_mode = OpenSSL::SSL::VERIFY_NONE to account for this case?

@rstacruz

Oops. That should be addressed to @tc, not biot023.

@potomak

I solved this issue by including http://curl.haxx.se/ca/cacert.pem inside project's config directory and adding the ssl_cert_file configuration for development and test environments (where PayPal environment is set to sandbox).

Example paypal_adaptive.yml:

defaults: &defaults
  environment: '<%= ENV['PAYPAL_ENV'] %>'
  username: '<%= ENV['PAYPAL_USERNAME'] %>'
  password: '<%= ENV['PAYPAL_PASSWORD'] %>'
  signature: '<%= ENV['PAYPAL_SIGNATURE'] %>'
  application_id: '<%= ENV['PAYPAL_APP_ID'] %>'

development:
  <<: *defaults
  ssl_cert_file: <%= File.join(Rails.root, 'config', 'cacert.pem') %>

test:
  <<: *defaults
  ssl_cert_file: <%= File.join(Rails.root, 'config', 'cacert.pem') %>

production:
  <<: *defaults
  ssl_cert_path: /etc/ssl/certs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment