[Ruby] How to solve PayPal Ruby SDK SSL_connect error

2 minute read

Introduction

Recently, I got an error in PayPal Ruby SDK, but the solution is that there is no Japanese information in Google search, and English is hardly hit, so it is a memo. It seems to have happened in the last few days.

SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

1. Cause

The cause is on the PayPal side. PayPaal Ruby SDK Gem has an SSL certificate packaged internally, and this certificate was recently removed. I don’t know how PayPal did it to put the certificate in the gem, but it can be solved by hacking the SDK.

2. Solution

Add the PEM that is still valid to the certificate inside the SDK and restart the Rails server to solve it.

3. Resolution procedure

(1) Download PEM

Download the PEM announced by PayPal in the reference article. I used the Digi Cert High Assurance EV Root CA, but I think any one is fine.

Where to get DigiCert High Assurance EV Root CA

Download here: https://www.digicert.com/digicert-root-certificates.htm

Download the DigiCert High Assurance EV Root CA PEM from here.

Screenshot 2020-08-04 10.29.53.png PM

(2) Search the location of paypal.crt in SDK

If you are using Mac or Unix, use the find command to search. For Rails apps, you should look under your application’s Root directory. In the Production environment, you can use sudo to do a full search (find / -name paypal.crt -print) with sudo if you don’t know where Ruby is.

Since my server is AWS, I searched under ~/ as follows.

rails_root


[ec2-user@awsome_server ~]$ find ./ -name paypal.crt -print 2>/dev/null
./.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/paypal-sdk-rest-1.7.4/data/paypal.crt

(3) Add PEM to paypal.crt

Check the contents of the downloaded PEM file.

local Mac terminal


$ cat DigiCertHighAssuranceEVRootCA.crt.pem
- ----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL

Omitted

Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
- ----END CERTIFICATE-----

Edit paypal.crt found by find. Lines 172 to 196 below are the added parts. Just add it to the bottom, but note that it requires ====== and separates it with the exact name (DigiCert High Assurance EV Root CA).

rails server

```run on ruby

[[email protected]_server ~]$ sudo vi paypal.crt

168 CEHwxWsKzH4PIRnN5GfcX6kb5sroc50i2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWX
169 bj9T/UWZYB2oK0z5XqcJ2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/
170 D/xwzoiQ
171 -----END CERTIFICATE-----
172 DigiCert High Assurance EV Root CA
173 ================================================= ======
174 -----BEGIN CERTIFICATE-----
175 MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
176 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
177 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
178 ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
179 MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
180 LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug

                       Omitted

191 eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
192 hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
193 Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
194 vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
195 +OkuE6N36B9K
196 -----END CERTIFICATE----- ```

(4) Restart Rails server

It depends on the environment, but in my case it can be restarted with systemctl on AWS, so execute.

AWS


[ec2-user@awsome_server ~]$ sudo systemctl restart rails

Now the SSL error does not occur and API call can be made normally.

Reference article