0
votes

I built an app on OpenShift Online and now I'm trying to integrate with PayPal. I'm running into SSL cURL errors that I don't know how to address. I've looked through SO, OpenShift Online, PayPal and elsewhere but can't get this issue worked through.

Background:

  • PHP-based app running on OpenShift Online v2
  • Setup as https://*******.rhcloud.com/test/test_IPN.php --- so I can use their *.rhcloud.com wildcard certificate
  • Using PayPal "Buy Now" button with PayPal Payments Standard, testing in their sandbox
  • Using IPN sample code found at https://github.com/paypal/ipn-code-samples/blob/master/paypal_ipn.php

Here is the portion of the code that seems to be at the root of my problem:

// CONFIG: Please download 'cacert.pem' from "http://curl.haxx.se/docs/caextract.html" and set the directory path
// of the certificate as shown below. Ensure the file is readable by the webserver.
// This is mandatory for some environments.

//$cert = __DIR__ . "./cacert.pem";
//curl_setopt($ch, CURLOPT_CAINFO, $cert);

Problem:

[1] using code "as is" (lines 79-80 commented out) throws curl error: "SSL connect error"

[2] using lines 79-80 uncommented out (and cacert.pem placed in same dir as php script) throws curl error: "Problem with the SSL CA cert (path? access rights?)"

It's likely I'm missing something simple here. Any help getting this to work properly on OpenShift Online is greatly appreciated. Thanks!

2

2 Answers

0
votes

This line is pretty suspect:

$cert = __DIR__ . "./cacert.pem";

Basically you would end up with something like $cert equaling /home/path./cacert.pem, which I am pretty sure is not what you want, and why you are getting the ssl error, it can't find the certificate. That could be corrected to:

$cert = __DIR__ . "/cacert.pem";

It also might be better to store the cacert.pem in your $OPENSHIFT_DATA_DIR and reference it as such:

$cert = getenv("OPENSHIFT_DATA_DIR")."cacert.pem";

And make sure that the permissions on the cacert.pem are at least 0644

chmod 0644 $OPENSHIFT_DATA_DIR/cacert.pem
0
votes

Solution:

Force the use of TLS 1.2

Commenting out lines 79-80 and adding

curl_setopt($ch, CURLOPT_SSLVERSION, 6); // Force TLS 1.2

did the trick for me. Hope this helps someone else.

P.S. The need for TLS 1.2 came from this PayPal article https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US