1

I'm new to ssl so forgive me.

I set up a site with ssl and all the online checks (eg. https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp) show that it is set up correctly and the site runs fine in the browser.

The site uses a payment gateway, this is where the problem is. When testing the payments, I found that the IPN wasn't being run. So I got support from from the payment gateway service provider and they sent back the reason that the IPN was not being run was because of this error 

com.payjar.common.exception.TransactionProcessException: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification 
path to requested target

I've been reading up about it online and I've found a lot about keytool and truststore, but I'm not too sure how it all works and if it will even solve my problem as the IPN is stored on my server but it is not run on a browser but by the payment service provider. So will I need to use this keytool on my server or will they need to do something on their side(which is obviously not an option for them)?

Any help or guidance would be greatly appreciated on how I can solve this error.

My server is Ubuntu 14.04.1 running Apache 2.4.7. The ssl certificate is a CA signed certificate.

David North
  • 11
  • 1
  • Check your site against [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html) and look out for missing chain certificates. If this does not help please publish the name of your site so that one can check what is wrong. – Steffen Ullrich Jan 06 '15 at 13:42
  • I had a look, I got a B grade, is that bad? The certificates seem fine. Although, could it be that the payment gateway service provider doesn't support SNI. The site is www.vitalityinstitute.co.za. – David North Jan 06 '15 at 14:20
  • Yes, I also assume that SNI is not supported by the provider. This is a typical problem. But it looks like you've fixed this in the meantime, because current reports don't show a dependency on SNI anymore. – Steffen Ullrich Jan 06 '15 at 15:23
  • All I did was disable the other site that uses https. But the payment still isn't working. I think I will try change over from name based vhosts to ip based so that it doesn't use SNI and see if that works. – David North Jan 07 '15 at 06:49
  • From here the host looks ok with and without SNI. Are you sure that the payment provider uses www.vitalityinstitute.co.za and not vitalityinstitute.co.za (which is a different host and the certificate does not match the name)? – Steffen Ullrich Jan 07 '15 at 07:03
  • From your comment, I checked (using https://www.digicert.com/help/) and vitalityinstitute.co.za is routing to our old server where as www.vitalityinstitute.co.za is routing to the new server. We don't own the domain, so will I need to ask the owners of the domain to change something on their DNS manager? – David North Jan 07 '15 at 07:37
  • One thing is that both domains should better point to the same server. The other thing is, that the certificate they both use is only valid for www.domain and not for domain without www. But I'm not sure if this issue is related to your original problem at all - please check out which hostname your payment provider is really using. – Steffen Ullrich Jan 07 '15 at 09:15
  • Thats for that. They both point to the same server now and the payment provider is using www.vitalityinstitute.co.za. So that all seems fine. Although, does the server in and of itself need to have it's own self signed certificate? The payment client timesout when attempting to send a request, could it be for that reason? – David North Jan 07 '15 at 09:57
  • I don't know how your payment provider works in detail. Either you ask them for help or you need to document the specific architecture and point out where you have problems. – Steffen Ullrich Jan 07 '15 at 11:12

0 Answers0