can the payment callback URL (https) work with self-signed certificate or do I need a commercial SSL cert ?
I did a quick check and the SSL connection from facebook to my server (default https port 443) fails during handshake, HTTP request is not even done.
As soon as I changed app configuration on FB to HTTP, everything works fine.
So far, everything else like canvas url etc. works just fine with self-signed cert, only having problems with payment callback URL.
You will need a valid commercial cert (yes, costs a lot of money but there's some low cost SSL providers out there like GoDaddy.com).