I am currently trying to integrate paypal checkout with our online store. We are testing against Sandbox. Everything but the IPN (Instant payment notification) works.
We read a lot about paypal changing their security model so we tried to follow their guide but we are still getting an error:
The SSL certificate for the host could not be verified
the error we get on IPN is:
The SSL certificate for the host could not be verified
Now, we are using a G2 cert from GoDaddy (supports sha256). Not sure if this has anything to do with it or not.
Any help would be appreciated.
I am running out of ideas. We already installed the G5 root cert from Verisign, the site runs in SSL via G2 GoDaddy cert.
Thanks,
Moz
Are you using cURL to get the VERIFIED response?
If yes then contact GoDaddy and get the version number of SSL you have.
cURL by default uses SSLv3.
I had a similar issue, solved it by adding this
curl_setopt($ch, CURLOPT_SSLVERSION, 2);
to my cURL headers.
Related
I am getting ERR_CERT_REVOKED in iPhone while accessing our website which uses a GoDaddy SSL certificate. It works fine on Laptop on all browsers but gives this error on iPhone.
Godaddy is facing an AutoSSL technical issue where they are not able to renew the SSL certificate. Mine has been down for 2 days now and has contacted their support multiple times. No permanent fix as of now.
You can do these steps which can put you in the queue for AutoSSL renewal. They haven't mentioned a timeframe for the resolution of this issue, unfortunately.
Steps:
Go to Cpanel of Hosting
Select SSL/TLS
Select Generate, view, upload, or delete SSL certificates.
Delete all self-signed certificates
Go to Cpanel and select SSL/TLS Status
Select all domains you want to renew and click Run AutoSSL
This will put your domain in the queue for renewal.
God knows when these guys will resolve the issue and renew it though.
As per the paypal security upgrade on Jan 17th 2016 they are saying that the server needs to be installed with a ssl server with ssl of algorithm SHA-256 and the certificate needs to verify with a G5 ROOT certificate. But my doubt here previusly i can test the paypal sandbox payment in my localhost(a server without https) and it was worked perfectly. But as per the new upgrade from the paypal team is there any option to check the api service in sandbox in a http server(may be on localhost). When i try this i got a handshake_failure exception.
This was my mistake and finally i understood that ssl not needed. When i have update the paypal sdk jar to 1.4 the issue cleared.
I have integrated paypal express checkout with my app. Few days back I got following email from Paypal.
Dear Customer,
In keeping with industry standards set by the Certification Authority/Browser (CA/B) Forum, PayPal will discontinue supporting 1024-bit key length certificates and will migrate to 2048-bit certificates before the end of 2013.
We have completed the installation of 2048-bit certificates for all API endpoints in our PayPal Sandbox and Payflow Pilot environments, and we will be doing the same for our production environments starting on August 6, 2013.
We strongly encourage merchants to thoroughly test any existing integration(s) in the PayPal Sandbox and/or Payflow Pilot environments to ensure this migration will not cause any unforeseen issues.
Please have the team or person responsible for your integration refer to the following:
If you need to import the new PayPal Sandbox and/or Payflow Pilot server certificates to your application or system truststore, you can download production and Sandbox certificates from https://ppmts.custhelp.com/app/answers/detail/a_id/952.
If you don’t typically import the server certificates to your truststore, you can proceed with testing with no other action required.
If you have any questions, please contact PayPal Merchant Technical Services by filing a ticket; refer to PP-LIVE-3503. You may also visit our Live Site Status blog.
Sincerely,
PayPal
I am using API signatures instead of certificates. So, I really dont need to do anything here, right?
It's not the API certificate that is changing, it's the endpoint certificate that's changing to 2048. So whether your API credentials consist of either a API Signature or an API Certificate shouldn't matter.
You will only need to change anything if you're somehow storing and validating PayPal's API endpoint SSL certificate against a locally stored copy of the (same) SSL certificate. Often this is done in a so called 'truststore'.
Since PayPal's API endpoint certificate will change, you would need to update the certificate in the truststore accordingly.
So yes, you won't need to change anything if you're merely using an API signature or API certificate for API authentication.
I am not sure it is neccessary if I am using PayPal express checkout for recurring payment, do I need https/ssl for my website to connect to PayPal? I am using Ruby on Rails and there is a gem called "paypal-express". It is working well without ssl in sandbox environment. Any suggestion? Thank you.
If by 'https/ssl' you mean whether your site itself needs to support SSL traffic over HTTP (and thus have a valid SSL certificate): no, it doesn't.
You do however need to be able to establish an SSL connection. Specifically, to PayPal's API endpoint.
This means you need to allow outbound SSL traffic via your firewall (if you have any) and your environment needs to support this.
Ensure you have a valid copy of the root certs (I usually suggest http://curl.haxx.se/ca/cacert.pem) to valid the SSL certificates against.
Callbacks required SSL as stated here: https://developer.paypal.com/docs/classic/express-checkout/integration-guide/ECInstantUpdateAPI/
Working with the Paypal API, yes i've checked my config files, yes i've checked username and password.... i'm outa ideas. I'm using the ExpressCheckout API downloaded from and everytime i try call the setExpressCheckout method i get the following error:
NSS: client certificate not found (nickname not specified)
I know it's something to do with an SSL error, how do i go about solving the problem?
On August 3 and August 5 PayPal renewed the SSL certificates for the following API endpoints:
api.paypal.com
api-3t.paypal.com
api-aa.paypal.com
api-aa-3t.paypal.com
If you need to import the new PayPal SSL certificates into your application or system keystore/truststore you can download them from https://ppmts.custhelp.com/app/answers/detail/a_id/920/. If you don't typically import the PayPal SSL certificates into your keystore/truststore, no action is required on your part.
For Sandbox please use this link: https://ppmts.custhelp.com/app/answers/detail/a_id/924 to Download the new SSL Certificate.
Check the paypal's server domain you send request to.
It should be api.paypal.com for certificate based authorization and api-3t.paypal.com for signature based authorization.
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_NVPAPIOverview#id084E30V0RE9