Its possible to fix this by using the server's own CA file.

Try setting ssl_options: { ca_file: nil }.

This causes the paypal.crt CA file bundled with the paypal-sdk gem to be ignored.

For apps using PayPal::SDK.configure(...)

PayPal::SDK.configure(  mode: ...,  client_id: ...,  client_secret: ...,  # Deliberately set ca_file to nil so the system's Cert Authority is used,  # instead of the bundled paypal.crt file which is out-of-date due to:  # https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240  ssl_options: { ca_file: nil })

For apps using a YAML config file

In config/paypal.yml or wherever your config file is located:

ssl_options:  ca_file: null

I'm leaving this here, but the answer by RidingRails is what I consider "correct". It is the proper solution to dealing with this longer-term, although the real solution is to move to PayPal's newer gem.

My answer below is to help you quickly get PayPal working again without having to push out an update to your code.

This is really ugly, as PayPal packages the certs with their gem. To get up and running, you need to find the gem in your bundle and specifically find the file "paypal.crt". At the end, you need to add the two certificates that are missing. I am not going to copy/paste them here, but they are easily found. Actually, they were already on my Ubuntu system in /etc/ssl/certs:

DigiCert_Global_Root_G2.pem

DigiCert_High_Assurance_EV_Root_CA.pem

PayPal provides links here:

https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240

Steps to fix:

1. Find the paypal.crt file in the version of the gem that you are using. Here's what that looked like for me:

   cd app/production/shared/bundle

   find . -name paypal.crt

   At this point, I had a file in version 1.7.3 and 1.7.4 of the gem. I'm using the 1.7.4 version, so I edited that file.

2. Add those two certificates to the bottom. You should put the name of the certificate on a line, a line with "=" repeated to make a nice separator, and then the entire certificate including the BEGIN and END lines.

3. Restart your application.

This is not a long-term solution but will get you back running quickly. Long term - upgrade to the new gem.

Here is what we ended up doing on my team.

We added the 2 certs that Michael mentioned in

config/api.paypal.com.crt

Then in paypal.yml

 ssl_options:    ca_file: config/api.paypal.com.crt

We left the Gem as is. Initially we tore through the gem looking for answers but ultimately we left the gem as is and added the crt and updated yaml as show above.