#gkleinig

I'm not aware of any ongoing issues impacting SSL/TLS no. Sounds like a potential server configuration issue.

mm havent had any changes on the server

when I go to the URL mentioned in the error (https://api.stripe.com/) and look at the SSL details, sometimes I see a certificate which was renewed only yesterday, but other times I receive a certificate the expires in early April. That doesn't seem quite right to me, so it could be part of the problem

Can you share a req_xxx ID or your acct_xxx?

it's not getting far enough for there to be a request id - i'm using the stripe PHP wrapper and i suspect guzzle is failing

could it be related to this

acct_1038rB2B0N2DDYdB

No, that's an ongoing issue related to availability of data in the Dashboard

Thanks, taking a look

Thanks!

Are you able to reproduce this issue from a different network?

umm

well it looks like an issue between our web server and your API

rather than my local network

Right, but are you able to initiate the API call(s) from your integration on a different server or locally?

I could possibly try

If so, do you see the same issues? We've no reports of other SSL issues, so this strikes us as a server configuration issue.

we have 2 environments, one for dev and one for live

both are having the same issues

but they're from the same 'network' - part of AWS

ive just run the same test 5 times, the first 4 failed due to the SSL issue and the last one succeeded

Then perhaps its a configuration issue with your AWS instance(s). Perhaps they're intercepting the HTTPS traffic and replacing the SSL?

just sometimes? haha

FWIW, you can temporarily disable the SSL verification in stripe-php: https://github.com/stripe/stripe-php/blob/master/lib/Stripe.php#L35

Have you tried a network request from another server/localhost yet?

one sec ill try disabling the cert verification

We don't really recommend doing that permanently. You likely want to be verifying the authenticity of the API responses

But as a temporary measure its fine until root cause is resolved.

ok switching that off seems to have fixed the issue on our dev server

ok so do you have any tips on how i could make the request to your APIs locally so i can test the ssl issue?

I just wanted to highlight this again in case you missed it to see if it might provide any clues:

Interestingly enough, when I go to the URL mentioned in the error (https://api.stripe.com/) and look at the SSL details, sometimes I see a certificate which was renewed only yesterday, but other times I receive a certificate the expires in early April.

Bear with me a moment

sure

QQ: your servers are set to the correct time yes?

umm yep

i.e. UTC, and don't wrongly think the certs have expired.

let me double check which timezone they're set to

Ok, just wanting to check all avenues here. There's potentially something related at our end that may also be impacting you (just discovered it), but haven't confirmed yet.

Thu Mar 9 10:13:54 UTC 2023

direct from the server yep

thanks

Are you pinning our certificates by any chance?

not that i'm aware of! how would i determine that?

https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-pinning

It seems we issued new certs recently, but if your pinning them (which we don't recommend) then the ones you're app is using will have expired.

ok - super weird that it's happening intermittently but ill forward this info on to our sysadmin team and see what we can figure out

thanks heaaaps for your help

of course, do let us know if that doesn't resolve the issue.

will do! hope you have a great day / evening wherever you are 🙂

you too!

you guys make a kick-ass product and api ❤️

just showing some tests using openssl s_client -showcerts -connect api.stripe.com:443

Hi! I'm taking over this thread.

Let me know if you have any other questions.

Hi Soma, just trying to get to the bottom of this SSL issue :0

Have you confirmed whether you're pinning the certificates? https://stripe.com/docs/tls-certificates#certificate-pinning

i have yes, we're not pinning certificates

api.stripe.com can resolve to many IPs (https://stripe.com/docs/ips#ip-addresses) some of which may have the old certificate still (that your app is using). Which likely explains why the occasional request is fine.

The internal issue I referred to earlier was related to certificate pinning.

That makes sense. Is it possible that one of the IPs is being served with an old / expired cert?

Still checking on this internally, bear with us.

Hey there, we're rolling back some newly revised certificates which should hopefully resolve this

Will let you know when that's done

Ahh fantastic ok! Thanks for the update

Ok, I believe this should now be mitigated.

Fantastic, thanks for that. I’ll switch the certificate verification back on in the morning and test it all out 🙂

np. If still affected, I'd recommend writing in to support: http://support.stripe.com/contact