Cloudflare and PayPal

paypal

#1

Recently I migrated to Woo Coommerce for my PayPal Cart. The first issue I ran in to, which will lead to the issue I am going to highlight, is that PayPal was returning EWP_SETTINGS as an error return in the URL, with the unhelpful message to the effect of “Things are not working right now. Try again later.” What that was telling me is that my PayPal account was blocking requests from an un-encrypted server due to a setting. I’m not sure if that is the default setting. I certainly don’t remember setting it. I had to set it to allow transactions from unencrypted websites.

But to the point, I have the basic account through SiteGround. This means, of course, only CloudFlare sees my SiteGround SSL certificate and I have no way to change this other than upgrading to a premium account… To allow that setting to work I need to upload to PayPal the public key for each website that will be processing a PayPal transaction and I can only upload my public key, not CloudFlare’s.

So, as I can’t upload CloudFlare’s public key, what are the chances CloudFlare would be willing to partner with PayPal to engineer a solution to allow business customers to set-up their account so the Block Transactions From Unencrypted setting could work with CloudFlare users who don’t have premium accounts? I can guess no, but I thought I’d ask.


#2

Hi Jenny,

Cloudflare PM for SSL here. Do you have a link you can share on PayPal’s site with the technical requirements?

If I understand you correctly, sounds like they’re looking for the certificate not key (the latter you’d never want to share with anyone outside of someone terminating SSL/TLS for you). To retrieve that you can run the following (replacing www.cloudflare.com with your hostname):

$ openssl s_client -connect www.cloudflare.com:443 -servername www.cloudflare.com </dev/null

In the output you’ll see a PEM formatted certificate following the “Server certificate” line. This is the certificate that Cloudflare is serving for your hostname:

Server certificate
-----BEGIN CERTIFICATE-----
MIIGpDCCBiqgAwIBAgIQA2E+/8D7gtak2EWOjxgEOjAKBggqhkjOPQQDAjB0MQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
ZGlnaWNlcnQuY29tMTMwMQYDVQQDEypEaWdpQ2VydCBFQ0MgRXh0ZW5kZWQgVmFs
aWRhdGlvbiBTZXJ2ZXIgQ0EwHhcNMTYxMDI4MDAwMDAwWhcNMTgxMTAyMTIwMDAw
WjCB7jEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3
PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxEDAOBgNVBAUTBzQ3
MTA4NzUxFTATBgNVBAkTDDEwMSBUb3duc2VuZDEOMAwGA1UEERMFOTQxMDcxCzAJ
BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
MBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEXMBUGA1UEAxMOY2xvdWRmbGFyZS5j
b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARioZWxzZYsuoGD3vFr+HXBJvBg
OrgjA2cgTqSFojGcRT49I3+HhmY5bz+nUb1WUZcnv9FOLvHHZ/K2pRRjLU+Co4IE
ITCCBB0wHwYDVR0jBBgwFoAU+CXZpjnHw4GHJT4wVJEYIUCbF50wHQYDVR0OBBYE
FB8ozpiVLn8fmL22r1SUDUjIq86DMC0GA1UdEQQmMCSCDmNsb3VkZmxhcmUuY29t
ghJ3d3cuY2xvdWRmbGFyZS5jb20wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjCBnwYDVR0fBIGXMIGUMEigRqBEhkJodHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRFQ0NFeHRlbmRlZFZhbGlkYXRpb25T
ZXJ2ZXJDQS5jcmwwSKBGoESGQmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydEVDQ0V4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNybDBLBgNVHSAERDBC
MDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2Vy
dC5jb20vQ1BTMAcGBWeBDAEBMIGHBggrBgEFBQcBAQR7MHkwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBRBggrBgEFBQcwAoZFaHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0RUNDRXh0ZW5kZWRWYWxpZGF0aW9u
U2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggH0BgorBgEEAdZ5AgQCBIIB5ASC
AeAB3gB1AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABWCvZVR4A
AAQDAEYwRAIgFY2ubgz+aDKMoaRmHWcnwWq+hMqA3JyieJQbBFKLKl8CIHrOEWrF
OcfWBU2obWMY2QS0joKIQLICMO/9DGYPcODwAHYAaPaY+B9kgr46jO65KB1M/HFR
XWeT1ETRCmesu09P+8QAAAFYK9lVGQAABAMARzBFAiAt4G6kWLRNwTgdsSSydvu2
EZCq5RLsSqEMEwLBvc5XFwIhALTwv5d4+d2ckYDW+yenDWL1aqFXk49kSMM8Bsmt
k6nzAHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFYK9lViwAA
BAMARzBFAiAQ62Gx3rZ3Ou3j/khslWV6xf4RvnodOhy0JaKOs+9SqgIhAIjutI5A
L59yDkPEBMgY232W7VY25OyxQKKlY98JHOESAHUA7ku9t3XOYLrhQmkfq+GeZqMP
fl+wctiDAMR7iXqo/csAAAFYK9lXNAAABAMARjBEAiBGZGq6xc5RVx4h0aEXtNE/
5DiGPVt2WHFzHhQvdD7KKwIgHy9EjBIdujeDhgP8aJZfx8wxEVg+phnN77qanyIC
gjgwCgYIKoZIzj0EAwIDaAAwZQIxANCzYuZbfkwJXRdHnzPCHB5rDpEiUaEnv7Qk
HVOfzx5u3jiabTrDfbs/uu/fBY5VbgIwYJn3rwvWvB3WGXXSvuoDadg6wI0D1DDA
15QI9FEGjyeKRg9DbrydtD+m2OkfBWNi
-----END CERTIFICATE-----

Without seeing PayPal’s specific ask, it sounds like they’re looking for the contents above between “BEGIN CERTIFICATE” and “END CERTIFICATE” (and sometimes want those two lines included). I would start there and let us know how that works.

Note that while this certificate is relatively static, it does change sometimes and this change would likely break any pinning they have. As you point out you’d need a plan that supports a custom certificate if they are indeed relying on the fact that this certificate never changes.

Please provide links to their instructions and we can help further.

Best,
Patrick


#3

After further research I found out that the use of PayPal’s IPN (Instant Payment Notification) is another way to do secure transactions, which is what Woo Commerce uses. But as an FYI here is a link to using PayPal’s EWP (Encrypted Web Payments): PayPal EWP


#4

can someone help ? I am not receiveing 2checkout.com ipn since moving to cloudflare.
but paypal ipn is working
I cant post a new topic. hence posting here . Sorry


#5

Followups to Robin’s message should go here: