PayPal SDK got SSL_connect returned=1 errno=0 state=error: certificate verify failed (无法获得本地颁发者证书)

Question

I am running into this issue with ruby 2.7.0, Rails 6.0.3.2, paypal-sdk-core 1.7.4, and OpenSSL 1.1.1d on macOS Catalina v10.15.6. When I deployed the code to Amazon Linux 2, AWS got the same error. So, I guess something in vendor/bundle was broken.

This code was working before I reinstall ruby2.7.0 by rbenv uninstall & install.

The exception error occured when Sale.find was executed in the following code.

sale   = Sale.find(ipn.txn_id) refund = sale.refund_request({
                               :amount    => {
                               :total     => refund_amount.to_f,
                               :currency  => ipn.currency_code },
                               :reference => reference
                             })

I checked HTTPS connection and SSL handshake looks like OK.

$ openssl s_client -connect api.sandbox.paypal.com:443
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = "PayPal, Inc.", OU = PayPal Production, CN = api.sandbox.paypal.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Jose, O = "PayPal, Inc.", OU = PayPal Production, CN = api.sandbox.paypal.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Jose, O = "PayPal, Inc.", OU = PayPal Production, CN = api.sandbox.paypal.com

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA

---
Acceptable client certificate CA names
C = US, ST = California, L = San Jose, O = "PayPal, Inc.", OU = sandbox_certs, CN = sandbox_camerchapi, emailAddress = re@paypal.com
C = US, ST = California, L = San Jose, O = "PayPal, Inc.", OU = stage1_certs, CN = stage1_camerchapi, emailAddress = re@paypal.com
C = US, ST = CA, L = San Jose, O = PayPal Inc., OU = Mobile Client Certificate Authority, CN = PayPal Sandbox Client CA, emailAddress = DL-PP-ApplicationSecurity@paypal.com
CN = gtorel_1310486522_per_api1.paypal.com, L = Napoli, ST = Napoli, C = IT
CN = Sandbox_RootCA, OU = PayPal Crypto Mgt, O = PayPal Inc., L = San Jose, ST = California, C = US
CN = Sandbox_MerchantIssuingCA, OU = Platform Security, O = PayPal Inc., L = San Jose, ST = California, C = US
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4449 bytes and written 462 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: C66CE9265BF19D4A2FB4C4ED43B9C4523FCCA69C09F49BF0E2BBC6E012491463
    Session-ID-ctx: 
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1596387340
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Answer 1

I suspect that Remove Support of Verisign G5 Root Certificate was the trigger for this issue. Presumably, the Root PEM files need to be downloaded, and incorporated into the gem.