Anyone have any luck using google checkout callbacks?

I have set the callback to be at my https://<me>.powweb.com address, but it's reporting this error:

the error we got is: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path

That doesn't give me a whole lot to go on - anyone got this working?

At this time, PowWeb does not support site-specific SSL certificates.

So I contacted google, and they said:

Thank you for your email. Sorry it has taken so long to get back to you.
However we have been investigating the issue, and it appears the problem
is that you have several unnecessary certificates in your server's
configuration that the server returns when it is contacted by Google
Checkout. You should configure your server with only the necessary
certificates: your server's certificate and any intermediate CA
certificates.

After you have updated your server configuration, please let me know if
you are able to process your notifications.

Hey powweb, can we get this fixed?

We're actually looking into this and we're talking to Google people on the Google Checkout team.

The issue isn't actually that there's "unnecessary certs", as far as we know, it's that the Sun/Java library the Google Checkout team used doesn't support multi-rooted certs, and doesn't like Comodo as a cert supplier in particular.

We're working this on two fronts:
1) We're working with Comodo to get Google Checkout compatible certs, then to get them installed everywhere they need to be installed (not a small job)
2) We're talking to the Google Checkout team in hopes of getting them to add the Comodo trust to the list of supported trusts so that we don't need to change anything.

I'm waiting to hear back from Google, as we speak.

Thank you. It would be great if you could update us here on any progress!

I will be watching this post carefully :)

The folks at Google have been pretty responsive. No progress yet, but we're looking into whether or not they can do anything on their end. A fix on their end is much simpler than a fix on ours, but we'll figure it out either way.

Heard back from the Google Checkout engineers looking into it, and they're still looking into it. While this has been addressed some on the web already, I think we might be the largest group to bring it up directly to them, so I give them credit for looking into it for us.

Quite frankly, in their shoes, I might have just told us to pound sand :) But they're being helpful and communicative, but there's just no solution yet.

Thanks rtoohil for the updation you provided us.

We think this should be working now. The Google Checkout team added some more valid trusts to the Java SSL library, and our certs should now be validated.

I haven't done exhaustive testing, but early results are positive. So, if this is something that you'd been planning to try out, give it a shot! I think it will work.