Troubleshooting HTTPS Post

401 Authentication Error

  • Check that you are using the correct API Key for each system – Production or Horizon. The private keys are different in both systems and will need to be retrieved from each system individually.
  • Check that you have the correct RSP username.
  • Check that the IP address of the machine transmitting the data to the OpenSRS server is in your list of allowed IP addresses in the Reseller Web Interface.

πŸ“˜

Note

IP changes take up to 15 mins to take affect.

If the above checks are correct, check the MD5:

  • Ensure that you have concatenated the XML content and the Private Key
  • Ensure that you have performed an MD5 twice. See the MD5 section for more information.
  • Ensure that your HTTP Post implementation is not adding any extra information. Some implementations of HTTP Post add a NULL to the end of the HTTP Request. This is reflected in the MD5 and causes an authentication error.
  • Ensure that the result is in lowercase before sending it to OpenSRS. Some MD5 algorithms put the MD5 hash in uppercase.
  • Some MD5 algorithms need to convert the string to bytes before generating the hash. Make sure this is done properly. You can test your script by performing an MD5 on the following text:
    Text: ConnecttoOpenSRSviaSSL

MD5 Result: e787cc1d1951dfec4827cede7b1a0933

Invalid XML Response

Make sure you are sending the XML. The XML used in the MD5 is only for authentication purposes. You must also send the XML as part of the content header.

Further troubleshooting

If you are still having issues connecting to our API or even the web interface, please run these commands from the server/computer you are connecting from and email the output to OpenSRS support.

The XML API port is 55443

Commands to run

curl http://icanhazip.com/s/ OR wget -q -O - http://icanhazip.com/s/ ping rr-n1-tor.opensrs.net traceroute rr-n1-tor.opensrs.net openssl s_client -connect rr-n1-tor.opensrs.net:55443

πŸ“˜

HRS customers:

Be sure to replace rr-n1-tor.opensrs.net with the API URL that was provided to you.

What we are testing for

The curl and the wget commands are to obtain the IP address of the computer/server that you are connecting from. Depending on what is enabled on your computer/server, one of the commands should return the IP address. This step is to verify that the IP address returned is the same one whitelisted in in the Reseller Control Panel.

πŸ“˜

HRS Customers:

Whitelisting an IP in your own HRS instance is not enough. You will also need to contact OpenSRS Support to be whitelisted in our firewall.

ping rr-n1-tor.opensrs.net
PING rr-n1-tor.opensrs.net (216.40.33.39) 56(84) bytes of data. 64 bytes from rr-n1-tor.opensrs.net (216.40.33.39): icmp_seq=1 ttl=253 time=1.38 ms

If the ping doesn't work

There is likely a problem with your network. It's highly unlikely that the OpenSRS API isn't reachable.

HRS Customers: It's possible that the external connections have not been opened and this might be a firewall related. Send us a trace route:

traceroute rr-n1-tor.opensrs.net
traceroute rr-n1-tor.opensrs.net traceroute to rr-n1-tor.opensrs.net (216.40.33.39), 30 hops max, 60 byte packets 1 123.125.51.1 (123.125.51.1) 0.881 ms 1.227 ms 2.712 ms 2 123.78.201.2 (123.78.201.2) 0.784 ms 0.768 ms 100.78.201.3 (100 ... 15 ... rr-n1-tor.opensrs.net (216.40.33.39) 29.723 ms 29.694 ms 29.604 ms

Are you able to connect to the API host/port ?

openssl s_client -connect rr-n1-tor.opensrs.net:55443
CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=CA/ST=Ontario/L=Toronto/O=Tucows, Inc./CN=*.opensrs.net i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIE3DCCA8SgAwIBAgIQQx0R1BnpAT2POz65f8LyzDANBgkqhkiG9w0BAQsFADBE MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTUxMjIyMDAwMDAwWhcNMTgwMjE5MjM1 OTU5WjBgMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxQH VG9yb250bzEVMBMGA1UEChQMVHVjb3dzLCBJbmMuMRYwFAYDVQQDFA0qLm9wZW5z cnMubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1LOy0I+Hfd9 Ia6qccA1S46as29WgNCzhg84cgQpudRkFWJb0KPJArRVLm7c1WszG+ajtGaIDldo eED/iuu4G7Q+EAo0/oYu6E3i1jtzZC6xOp2tM3cdQUVcQFI6BAjpJZqV6+LQIRnP reDdG1vHS/32H3bWIkaCaLyhD26WlAQrCzIRO6roTy7cXv3adYvjcSdSHnr6xAQq Jvm8NlY8SGIW03mjXfenzlxma3zYu/KtTK96a6/MiDQw0Xtde8R3xW1wzuI42D3L 4myPwu9y7H6sMpvtxYflL3/z1HTP8uGQQNcFmsuqc4esWQW/5+gGtScs6Xa/qPNt ZuhOTv8D+QIDAQABo4IBrDCCAagwJQYDVR0RBB4wHIINKi5vcGVuc3JzLm5ldIIL b3BlbnNycy5uZXQwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQw IjAgoB6gHIYaaHR0cDovL2duLnN5bWNiLmNvbS9nbi5jcmwwgZ0GA1UdIASBlTCB kjCBjwYGZ4EMAQICMIGEMD8GCCsGAQUFBwIBFjNodHRwczovL3d3dy5nZW90cnVz dC5jb20vcmVzb3VyY2VzL3JlcG9zaXRvcnkvbGVnYWwwQQYIKwYBBQUHAgIwNQwz aHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5L2xl Z2FsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTS b/eW9IU/cjwwfSPahXibo3xafDBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGG E2h0dHA6Ly9nbi5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9nbi5zeW1j Yi5jb20vZ24uY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQCBWoK/hZzxGKPcShmT6MkA cuHb/WDD1r2/t5WIthoixnq0gQi1NNBFx35ZTJiRx2oXc7FC8fa+IELRjeDAWh8X ZPeGU153cJGWxOmkq0/tW7PM9X/JoByQKxDLJ908E/XcUGaL6Fgv2S71UeaIS+Q6 roH8OFHp+NJovbmVZJLa7Y1rNznRYH/gMgqQ4jOM7o7StCcNEYC5JDEVoXyqYWPr 4MaRXOZw4SIgZiT8pmguTpKiwTSyBXmfE4L4q7VGv0IPORMqG/0C3hjXki3dzriY mFQQ6LrOy42wJ0jnPOQ98XWQK6ASR4lnYqHlNiM5kGowcsBznslvOzABx8G3bF1V -----END CERTIFICATE----- subject=/C=CA/ST=Ontario/L=Toronto/O=Tucows, Inc./CN=*.opensrs.net issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 --- No client certificate CA names sent --- SSL handshake has read 3443 bytes and written 637 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA Session-ID: 59AA9115520F3D10BD86BD3DF6DB4EA996FDB3851301112B349744210015BBC2 Session-ID-ctx: Master-Key: 10ECC1BC594B8DB568D006B34C3D14DDDBEEB303CA20969F9C3D2E17CD98EBDAB088EDD328D84EBA332C26D4426E0415 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1456503963 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---

If you don't get the above result, instead you have:

CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 295 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---

HRS Customers: this probably means you're not whitelisted at OpenSRS also. Please provide us with the output from the test commands.

Or if you have:

connect: Connection refused connect:errno=111

HRS Customers: This means that the port isn't open at all. Please provide us with the output from the test commands.

Try sending a simple XML command:

openssl s_client -connect rr-n1-tor.opensrs.net:55443 # Now paste the following: POST / HTTP/1.0 Content-Length:505 Content-Type: text/xml X-Username: test X-Signature: c9fd4c8fde71912c63cc4ba83bbb6bc1 <?xml version='1.0' encoding='UTF-8' standalone='no' ?> <!DOCTYPE OPS_envelope SYSTEM 'ops.dtd'> <OPS_envelope> <header> <version>0.9</version> </header> <body> <data_block> <dt_assoc> <item key="protocol">XCP</item> <item key="action">LOOKUP</item> <item key="object">DOMAIN</item> <item key="attributes"> <dt_assoc> <item key="domain">acmeinc.biz</item> </dt_assoc> </item> </dt_assoc> </data_block> </body> </OPS_envelope> # You may need to press Ctrl + D

If you get this response:

<?xml version='1.0' encoding="UTF-8" standalone="no" ?> <!DOCTYPE OPS_envelope SYSTEM "ops.dtd"> <OPS_envelope> <header> <version>0.9</version> </header> <body> <data_block> <dt_assoc> <item key="protocol">XCP</item> <item key="response_text">Connection refused: invalid ip address [123.123.119.150]</item> <item key="action">REPLY</item> <item key="response_code">555</item> </dt_assoc> </data_block> </body> </OPS_envelope>read:errno=104

This means the OpenSRS/HRS API is responding to you but your IP address is not whitelisted within SRS/HRS.