LWP, "certificate verify failed" on known good certificate (paypal.com)

tunafish has asked for the wisdom of the Perl Monks concerning the following question:

Not 100% sure this is a Perl issue, but it seems to be. I have an IPN script that connects with PayPal to verify transactions. It was working fine until yesterday, when I installed LWP::Protocol::https. Since then, it's been failing with the error:

Can't connect to www.paypal.com:443 (certificate verify failed)

LWP::Protocol::https::Socket: SSL connect attempt failed error:1409008
+6:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
+at /usr/local/share/perl5/LWP/Protocol/http.pm line 47.
[download]

Running GET https://www.paypal.com from bash (which uses LWP) yields the same error message. OTOH, running GET https://www.gmail.com is successful.

Running openssl s_client -host paypal.com -port 443 returns (among other things) Verify return code: 0 (ok).

curl "https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate" successfully receives a response from PayPal. So it does seem to be Perl-specific.

Module versions:

LWP 6.13
LWP::Protocol::https 6.06
IO::Socket::SSL 2.015
Mozilla::CA 20141217 (note I've tried the script both using Mozilla::C
+A and without it... results have been the same)
[download]

Please let me know if there are other relevant modules. Perl version is 5.10.1. Server OS is RHEL 6.

Comment on LWP, "certificate verify failed" on known good certificate (paypal.com) Select or Download Code

Replies are listed 'Best First'.
Re: LWP, "certificate verify failed" on known good certificate (paypal.com) by Corion (Patriarch) on May 31, 2015 at 06:45 UTC
Maybe `curl` and `openssl` use the PEM files that are installed globally on your system while Mozilla::CA contains different certificates? I'm not sure how you can easily/conveniently compare the certificate chains between Mozilla::CA and the OS. Maybe you can try and set the global certificate through `IO::Socket::SSL::default_ca( SSL_ca_path => '/etc/ssl/...' );` [download]	[reply] [d/l] [select]
Re^2: LWP, "certificate verify failed" on known good certificate (paypal.com) by tunafish (Beadle) on May 31, 2015 at 07:46 UTC
Nailed it! I fixed the problem by adding `ssl_opts => { verify_hostname => 1, SSL_ca_file => '/path/to/servers/ca-bundle'}` to `LWP::UserAgent->new()`.	[reply]
Re: LWP, "certificate verify failed" on known good certificate (paypal.com) by noxxi (Pilgrim) on Jun 01, 2015 at 06:59 UTC
Since the same question was asked on stackoverflow too ... More details about the underlying problem can be found at my answer there (in short: a problem with OpenSSL known for years).	[reply]
Re: LWP, "certificate verify failed" on known good certificate by parv (Parson) on Jun 09, 2015 at 00:14 UTC
As far as Perl API is concerned, patch to IO::Socket::SSL has solved the issue, thanks to Gisle & Steffen U. (Now I won't need to add `&Flickr::Upload::new` to pass LWP::UserAgent object so that SSL certificate path is set for certificates other than `Mozilla::CA`.) For other details, see also (a very short list) ... x509: skip certs if in alternative cert chain; Perl, LWP "certificate verify failed" with paypal.com (already mentioned above).	[reply] [d/l] [select]
Re: LWP, "certificate verify failed" on known good certificate (paypal.com) by ikegami (Patriarch) on Jun 01, 2015 at 17:45 UTC
The above question was posted to StackOverflow, where it got a great answer explaining the underlying problem. [ Ack! This has already been posted. Feel free to delete. ]	[reply]