PayPal：无法使用已知 CA 证书对对等证书进行身份验证

Question

Hi suddely I start to get this error curl_error: Peer certificate cannot be authenticated with known CA certificates on paypal transactions on my site. The certificate name is VeriSignClass3PublicPrimaryCertificationAuthority-G5.crt and seem to be valid and seem to be an Intermediate Certificate. The code is the following but it workd for years.

  curl_setopt($conn, CURLOPT_HEADER, 0);
  curl_setopt($conn, CURLOPT_NOBODY, 0);
  curl_setopt($conn, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($conn, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($conn, CURLOPT_SSL_VERIFYPEER, true);
  curl_setopt($conn, CURLOPT_SSL_VERIFYHOST, 2);
  curl_setopt($conn, CURLOPT_CAINFO, getcwd() . "/CAcerts/VeriSignClass3PublicPrimaryCertificationAuthority-G5.crt");
  curl_setopt($conn, CURLOPT_HTTPPROXYTUNNEL, 1);
  curl_setopt($conn, CURLOPT_PROXYTYPE, "CURLPROXY_HTTP");
  curl_setopt($conn, CURLOPT_PROXYAUTH, "CURLAUTH_BASIC");
  curl_setopt($conn, CURLOPT_POST, 1);
  curl_setopt($conn, CURLOPT_POSTFIELDS, $postString);
  curl_setopt($ch, CURLOPT_TIMEOUT, 15);

The site is on a simple hosting and there is no ssh. What should I do? Should I insltall a new certificate? If so what certificate and what is the correct procedure?

Answer 1

The file /CAcerts/VeriSignClass3PublicPrimaryCertificationAuthority-G5.crt is out of date.

Update to one that is able to verify the issuer of the certificate of the PayPal server you are connecting to.

You can download an updated bundle of Certificate Authorities here: https://curl.haxx.se/docs/caextract.html

Put that .pem file somewhere like /CAcerts/, and change your path to point to it.