View Issue Details

IDProjectCategoryView StatusLast Update
0007359module Amazon Paymainpublic2022-10-04 09:50
Status acknowledgedResolutionreopened 
Product Version2.0.0 
Target VersionFixed in Version 
Summary0007359: Amazon Pay Button not working
DescriptionMerchants are reaching out to us since the button in version 2.0.0 is not working. The button triggers an AJAX request ending up in a 500 error (find gif attached).
This issue is reproducible with our test shop in a blank oxid installation.
We double checked that the merhcant is using the correct keys - the fact the button is rendering shows us that the account is valid and the right keys are in use.
This is a major issue for us causing a loss of merchant trust and a bad customer experience. Can you please investigate?
Steps To ReproduceOption 1:
Go to and hit the Button on the Product detail page (see gif attached)

Option 2:
Go to our oxid test shop (htaccess: amazon/oxid)
TagsNo tags attached.



2022-09-20 09:51


issue-oxid-1.gif (1,641,695 bytes)


2022-09-20 10:05

developer   ~0014313

@osanger: Mostly it has something todo with die Private-Key. The Amazon-SDK, that we use for the module check the string of the ssh-key:

\vendor\amzn\amazon-pay-api-sdk-php\Amazon\Pay\API\Client.php -> setupRSA()

If it not found "BEGIN RSA PRIVATE KEY" or "BEGIN PRIVATE KEY" in the string, than the client think, that the string is a path on the server. And try to read this path for getting the Private-Key.

So the solution would be to set a complete private-key with all comments in the config-backend.


2022-09-20 11:30

reporter   ~0014317

We have to support both key headers With and without the RSA. If this is the root cause, please fix.


2022-09-29 17:14

developer   ~0014335

@osanger: We couldnĀ“t fix it, because the behavoir is in your SDK. Please let your development fix it and let us know a new SDK version.


2022-10-03 14:11

reporter   ~0014347

It's available in the SDK now:

Please fix.


2022-10-04 09:50

developer   ~0014400

Hello @osanger,

Nothing has been fixed by Amazon yet. Once again:

The SDK you maintain, which we cannot change, checks at this point (which you sent us as a link in the ticket:
) ,.. whether the string contains the word "BEGIN RSA PRIVATE KEY" or "BEGIN PRIVATE KEY".

If not, the SDK assumes it's a URL, even though it ended up being a key.

The string "BEGIN RSA PRIVATE KEY" or "BEGIN PRIVATE KEY" is part of a comment placed at the head of the key string. It is normally not necessary for the function of the key. However, the SDK uses this comment to identify a "formally" correct key.

Amazon did not change the position in the SDK either. It still looks the same as we're using it right now.

Now there are two solutions:

1) You fix the SDK
2) We will also reject keys that do NOT contain the comment string "BEGIN RSA PRIVATE KEY" or "BEGIN PRIVATE KEY" in the future.

As I said, this leads to confusion because the key is correct even without the comment.