I've had IPN working for years: I'm using a classic Paypal Button to initiate a purchase, and then Paypal sends me an IPN to my web server so that I can record the payment and send the customer an email.
But since Oct 4, 2021, Paypal has not been able to send me IPNs any more.
The "Instant Payment Notification (IPN) history" shows all IPNs since then as either Failed or Pending.
My server, however, responds just fine to the requests if I invoke the IPN URL from a browser. My server (Debian 10 with Apache 2) has not had any configuration changes or package updates in the past week, especially not since the time when it still received IPNs (Oct 3).
The only change I could find around that date (on Oct 3) is an automatic renewal of the Let's Encrypt SSL cert, which happened many times before without causing any such trouble with IPN. I have since recreated the Let's Encrypt cert, even as a dedicated one just for that domain given to Paypal (before the cert was shared between multiple domains on that server), with no improvement.
What works
Invoke the URL (https://paypal-api.tempel.org/) from curl or a web browser. My CGI script is invoked, and the Apache access.log shows the GET request.
What does not work
Use the IPN Simulator, specifying the same URL - then the simulator page shows
IPN was not sent, and the handshake was not verified. Review your information
at the top and I see no request in the Apache access.log
What has changed?
I have checked my firewall (which I hadn't changed in a while), even disabled it, to no avail.
Why would Paypal suddenly fail to even contact my server?
I suspect it has to do with the SSL cert, as its renewal date is the only date relation I could find and since Paypal not accepting the SSL cert would probably also lead to the effect that it won't even issue the GET or POST request to my server, hence no log entry about it.
Am I doing the testing with the Simulator right? How else could I find out why Paypal doesn't perform the "handshake"?
SSL cert oddities
Even though certbot says that the SSL cert is up-to-date, I get this output from openssl for the domain:
% openssl s_client -connect paypal-api.tempel.org:443 -showcerts -CApath /etc/ssl/certs/
CONNECTED(00000005)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
0 s:/CN=git.tempel.org
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=git.tempel.org
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4574 bytes and written 281 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 523AEDD29014010191C7B3DD16F4DC7179B8D91372C3063CEF8D6AD2ED7B800E
Session-ID-ctx:
Master-Key: 36D105B8EAD319DA6B8D2EA30484FC6676F2A2D64CA0EE8889B16396ECA71178FE5154638DCE1E9AF051D8D2FA44472E
Start Time: 1633776598
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
closed
Why does it say "certificate has expired" at the top, even though it's ok at the end? Could this be the issue?
More strangely, when I give the IPN Simulator another domain of mine, which is also using Let's Encrypt, e.g. www.tempel.org, the Simulator responded yesterday with a positive result, yet today, it gives the same "handshake" error. Also, openssl already gave the same "certificate has expired" error yesterday when the IPN Simulator still accepted it.
So, this all seems to have to do with Let's Encrypt's certificates, somehow. But how do I fix this, apart from buying a different SSL cert?
Or is this just some odd caching issue? When I open https://paypal-api.tempel.org/ in Safari, and check its cert info, it does not indicate any expired certs. What's going on here?
Related to recent expiry of X3 root cert?
I have a hunch that this is related to the expiry of one of Let's Encrypt's root certificate on Sept 30, 2021. The openssl command I've shown above mentions that X3 certificate, indeed.
I am still not clear on how to fix this, however. I understand the instructions in the SO article about disabling the outdated X3 cert, but don't understand what to do then, yet. Probably force-renew the certs with certbot. But even that doesn't make the Simulator happy, yet, and the openssl cmd keeps mentioning the X3 root regardless.
Updated the certs
After reading here about fixing the X3 expiry issues, I renewed my cert by forcing the X1 root (h1.tempel.org is another domain on the same server):
certbot renew --cert-name h1.tempel.org --preferred-chain "ISRG Root X1" --force-renewal
and then restarted Apache (apachectl graceful).
Oddly, since then, when I give https://h1.tempel.org/ to the IPN Simulator, I get the desired "IPN was sent and the handshake was verified." message. But using https://paypal-api.tempel.org/, which is the same certificate, but just a different Apache site on the same server, I still get the "the handshake was not verified" error msg. I am out of ideas.
Can anyone see a difference in the certs between https://h1.tempel.org/ and https://paypal-api.tempel.org/?
I've finally managed to get it to work again - in parts.
After I had found out that the simulator accepts https://h1.tempel.org/ but not https://paypal-api.tempel.org/, even though both are valid pages that return status 200, and both are on the same server and use the same SSL certificate, I reconfigured the web server so that the h1 subdomain would also serve the cgi handler. Then I updated the handler URL at https://www.paypal.com/cgi-bin/webscr?cmd=_profile-ipn-notify to use the h1 subdomain (instead of paypal-api, and that fixed the issue, at least for NEW Paypal transactions.
However, trying to resend the previously failed notifications still fails, because they keep using the old URL.
Paypal Support responds
After finally having contacted Paypal business support, I learned:
They're using Cisco / Talos Intelligence to rate ANY outside page they contact, apparently.
And for some inexplicable reason, Talos currently rates my IPN URL's domain as "malware"! No other blacklisting site rates my site, because it's virtually invisible, and there's no content delivered by that site, apart from the IPN cgi handler, which delivers nothing but an empty reply with either status 200 or 500, depending on the content.
Which means I now have to get Talos to remove that malware rating (which is still pending 24 hours later!). Interestingly, Talos only rates the domain, not all sites served by that server's IP address. Therefore, even payments.tempel.org, which is literally nothing but a ServerAlias to paypal-api.tempel.org, is rated fine.
Paypal support also explained that the notification URL is stored in the database, and gets re-used when trying to re-send a failed notification, hence it would keep using the old (currently malware-rated) URL despite me having told Paypal to use a different URL now.
But now, a day later, trying resend again on the failed message, suddenly does use the newly set URL, regardless of Paypal support's explanation that this would not happen with re-sends.
So, the moral of the story: Sometimes it's not your fault but it's Paypal who gets this wrong. Or Cisco.
Also worth noting: Paypal won't alert you if they suddenly decide to consider your IPN URL part of a malware site. Nothing in the help or their testing tools will tell you why they're not contacting you any more, leaving you guessing until you contact them (In that regard, the initial answer (now deleted) was right to suggest that I need to contact Paypal directly because Paypal had blacklisted me for some reason). And they can't even whitelist you, but instead leave you fighting with Cisco over getting your rating back to "harmless".
Related
when some players enter our game, they meet this error in all browsers
We have changed the certificate recently. So I check one player's certificate on our game page,
It is the lastest certificate. So what may cause this problem? Should we do something after change the certificate?
EDIT1
Did CDN cache the certificate? After we refresh the CDN, some player can connect to the game immediately.
EDIT2
We found the player's browser has such an option "block unsafe certificate", when the option is enabled, he can't connect to the server and he can connect to server when the option is disabled. We export the intermediate certificate and send it to the player for import. After that, the player can play the game with the option selected.
EDIT3
Finally we found the intermediate certificate is right on the nginx side,but on the server side, the ca is missing. After add it, the websocket could work. And When I asked same question on another forum v2ex,I found a good way to test if the certificate chain is complete. you can visit the site and change the domain and port with your site.
https://cert.catbox.io/api/v1/queryChain?domain=s41001-ad-tanwan.zlgl.17tanwan.com&port=8085
If your server is correct, you will find the server side certificate and the intermediate certificate.If you can't find the intermediate certicate, you need to check your server config.
Your server https://s41001-ad-tanwan.zlgl.17tanwan.com/ provides only the last certificate in the chain, the actual certificate of the server.
This certificate is signed by the intermediate certificate from "RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1" that is valid since 2020-07-16.
If the clients have not updated their browsers/operating systems for some time, they don't have this intermediate certificate, and they report this as an invalid certification authority.
Put the intermediate certificate to the certificate file, and it should fix the problem, since the intermediate certificate is signed by the DigiCert root certificate, that is in the game since 2006. Everyone has it.
You run nginx, right? The ssl_certificate instruction in nginx accepts files with certificate chains. This file should have the server certificate first, then the intermediate certificate.
I am currently trying to integrate paypal checkout with our online store. We are testing against Sandbox. Everything but the IPN (Instant payment notification) works.
We read a lot about paypal changing their security model so we tried to follow their guide but we are still getting an error:
The SSL certificate for the host could not be verified
the error we get on IPN is:
The SSL certificate for the host could not be verified
Now, we are using a G2 cert from GoDaddy (supports sha256). Not sure if this has anything to do with it or not.
Any help would be appreciated.
I am running out of ideas. We already installed the G5 root cert from Verisign, the site runs in SSL via G2 GoDaddy cert.
Thanks,
Moz
Are you using cURL to get the VERIFIED response?
If yes then contact GoDaddy and get the version number of SSL you have.
cURL by default uses SSLv3.
I had a similar issue, solved it by adding this
curl_setopt($ch, CURLOPT_SSLVERSION, 2);
to my cURL headers.
As per the paypal security upgrade on Jan 17th 2016 they are saying that the server needs to be installed with a ssl server with ssl of algorithm SHA-256 and the certificate needs to verify with a G5 ROOT certificate. But my doubt here previusly i can test the paypal sandbox payment in my localhost(a server without https) and it was worked perfectly. But as per the new upgrade from the paypal team is there any option to check the api service in sandbox in a http server(may be on localhost). When i try this i got a handshake_failure exception.
This was my mistake and finally i understood that ssl not needed. When i have update the paypal sdk jar to 1.4 the issue cleared.
I am currently struggling with an issue which I am now led to believe is being caused by IIS.
I am currently testing a self signed PKI setup with a Root CA (MyNewCA), two signed Client Certificates (certificate1, certificate2) and a Revocation list (revocationlist.crl) that is also signed by the CA.
I have added certificate1 to the revocation list and published it to a http port 80 site that exists on our network. I have then created a fake site (testsite) that is secured via a TLS certificate.
From a client machine, I have run the CertUtil commands on both certificate1 and certificate2 and these commands correctly access the http crl site, and recognise that certificate1 is revoked, and certificate2 is a legitimate non revoked certificate.
However, when I connect to the testsite via a client browser, and supply the invalid certificate - IIS still serves me the page instead of giving me a 403.13 error.
I have done a ton of reading, and it seems that at times there are CRL caching issues, however the first revocation list that I published had certificate1's serial number in it, and hence even a cached version will contain that revoked cert.
I have changed the CertCheckMode in RegEdit on the IIS server to the value 4 in an attempt to force IIS to fetch the latest crl on EVERY request, but even that setting is still allowing the revoked certificate to be served to the client.
The CRL itself has;
Effective date of 19th January 2016
Next update of 20th January 2017
I can provide the certutil output if it is useful, or any other log data that would help in pinpointing the problem.
I ran Fiddler on my client machine and verified that the crl was fetched from the Http site.
If anyone can provide any insight into this issue I would greatly appreciate it.
Thanks,
It is expected behavior. IIS do not prevent access to SSL sites even if there are revocation issues with the SSL cert. It is up to client what to do with the information it receives from the server. It is up to client to perform (or to not perform) revocation checking and to make decision about further steps.
In addition, make sure if client's cache has the most recent CRL.
I'm getting the following error when using the IPN Simulator -
IPN was not sent, and the handshake was not verified. Please review your information.
The URL is non-SSL HTTP (dev environment).
When I hit it in a browser I get the expected output (and a matching entry in my servers access.log), however when I hit it via the IPN Simulator, I get the above error, and nothing in the servers access log.
On advice from these questions:
IPN was not sent, and the handshake was not verified. Please review your information.
IPN Simulator: "IPN was not sent, and the handshake was not verified. Please review your information"
I tried the command openssl s_client -connect api-3t.sandbox.paypal.com:443 -showcerts -CApath /etc/ssl/certs
and got the output they suggested:
Verify return code: 0 (ok)
I don't think this is particularly important as I'm not attempting to make an SSL request.
Any other ideas?
I'm attempting this as part of a bug fix, I developed the IPN stuff approximately 3 weeks ago and the IPN Simulator worked just dandily, now not so much.
Thanks in advance.
I found out that IP-based http such as http://182.100.25.4/foo/bar/baz do not work. I used dyndns to create a DNS record to point to 182.100.25.4 and suddenly voila - http://somedns.ddns.net/foo/bar/baz started working properly in the IPN simulator.
http-based URLs do work, you do not need to use https-based URLs.
Check web access logs on your server.
In my case there were 500 Internal Server Error on my side and I got same message in IPN Simulator.
But IPN Simulator were trying to send request any way...
This is incredible but in my case I needed to add a trailing slash to the end of the URL. Truly incredible.