Troubleshooting HTTPS Post

401 Authentication Error

  • Check that you are using the correct API Key for each system – Production or Horizon. The private keys are different in both systems and will need to be retrieved from each system individually.
  • Check that you have the correct RSP username.
  • Check that the IP address of the machine transmitting the data to the OpenSRS server is in your list of allowed IP addresses in the Reseller Web Interface.

📘

Note

IP changes take up to 15 mins to take affect.

If the above checks are correct, check the MD5:

  • Ensure that you have concatenated the XML content and the Private Key
  • Ensure that you have performed an MD5 twice. See the MD5 section for more information.
  • Ensure that your HTTP Post implementation is not adding any extra information. Some implementations of HTTP Post add a NULL to the end of the HTTP Request. This is reflected in the MD5 and causes an authentication error.
  • Ensure that the result is in lowercase before sending it to OpenSRS. Some MD5 algorithms put the MD5 hash in uppercase.
  • Some MD5 algorithms need to convert the string to bytes before generating the hash. Make sure this is done properly. You can test your script by performing an MD5 on the following text:
    Text: ConnecttoOpenSRSviaSSL

MD5 Result: e787cc1d1951dfec4827cede7b1a0933

Invalid XML Response

Make sure you are sending the XML. The XML used in the MD5 is only for authentication purposes. You must also send the XML as part of the content header.

Further troubleshooting

If you are still having issues connecting to our API or even the web interface, please run these commands from the server/computer you are connecting from and email the output to OpenSRS support.

The XML API port is 55443

Commands to run

curl http://icanhazip.com/s/ OR wget -q -O - http://icanhazip.com/s/
ping rr-n1-tor.opensrs.net
traceroute rr-n1-tor.opensrs.net
openssl s_client -connect rr-n1-tor.opensrs.net:55443

📘

HRS customers:

Be sure to replace rr-n1-tor.opensrs.net with the API URL that was provided to you.

What we are testing for

The curl and the wget commands are to obtain the IP address of the computer/server that you are connecting from. Depending on what is enabled on your computer/server, one of the commands should return the IP address. This step is to verify that the IP address returned is the same one whitelisted in in the Reseller Control Panel.

📘

HRS Customers:

Whitelisting an IP in your own HRS instance is not enough. You will also need to contact OpenSRS Support to be whitelisted in our firewall.

ping rr-n1-tor.opensrs.net
PING rr-n1-tor.opensrs.net (216.40.33.39) 56(84) bytes of data.
64 bytes from rr-n1-tor.opensrs.net (216.40.33.39): icmp_seq=1 ttl=253 time=1.38 ms

If the ping doesn't work

There is likely a problem with your network. It's highly unlikely that the OpenSRS API isn't reachable.

HRS Customers: It's possible that the external connections have not been opened and this might be a firewall related. Send us a trace route:

traceroute rr-n1-tor.opensrs.net
traceroute rr-n1-tor.opensrs.net

traceroute to rr-n1-tor.opensrs.net (216.40.33.39), 30 hops max, 60 byte packets
 1  123.125.51.1 (123.125.51.1)  0.881 ms  1.227 ms  2.712 ms
 2  123.78.201.2 (123.78.201.2)  0.784 ms  0.768 ms 100.78.201.3 (100
...
15 ... rr-n1-tor.opensrs.net (216.40.33.39)  29.723 ms  29.694 ms  29.604 ms

Are you able to connect to the API host/port ?

openssl s_client -connect rr-n1-tor.opensrs.net:55443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=CA/ST=Ontario/L=Toronto/O=Tucows, Inc./CN=*.opensrs.net
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE3DCCA8SgAwIBAgIQQx0R1BnpAT2POz65f8LyzDANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTUxMjIyMDAwMDAwWhcNMTgwMjE5MjM1
OTU5WjBgMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxQH
VG9yb250bzEVMBMGA1UEChQMVHVjb3dzLCBJbmMuMRYwFAYDVQQDFA0qLm9wZW5z
cnMubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1LOy0I+Hfd9
Ia6qccA1S46as29WgNCzhg84cgQpudRkFWJb0KPJArRVLm7c1WszG+ajtGaIDldo
eED/iuu4G7Q+EAo0/oYu6E3i1jtzZC6xOp2tM3cdQUVcQFI6BAjpJZqV6+LQIRnP
reDdG1vHS/32H3bWIkaCaLyhD26WlAQrCzIRO6roTy7cXv3adYvjcSdSHnr6xAQq
Jvm8NlY8SGIW03mjXfenzlxma3zYu/KtTK96a6/MiDQw0Xtde8R3xW1wzuI42D3L
4myPwu9y7H6sMpvtxYflL3/z1HTP8uGQQNcFmsuqc4esWQW/5+gGtScs6Xa/qPNt
ZuhOTv8D+QIDAQABo4IBrDCCAagwJQYDVR0RBB4wHIINKi5vcGVuc3JzLm5ldIIL
b3BlbnNycy5uZXQwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQw
IjAgoB6gHIYaaHR0cDovL2duLnN5bWNiLmNvbS9nbi5jcmwwgZ0GA1UdIASBlTCB
kjCBjwYGZ4EMAQICMIGEMD8GCCsGAQUFBwIBFjNodHRwczovL3d3dy5nZW90cnVz
dC5jb20vcmVzb3VyY2VzL3JlcG9zaXRvcnkvbGVnYWwwQQYIKwYBBQUHAgIwNQwz
aHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5L2xl
Z2FsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTS
b/eW9IU/cjwwfSPahXibo3xafDBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGG
E2h0dHA6Ly9nbi5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9nbi5zeW1j
Yi5jb20vZ24uY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQCBWoK/hZzxGKPcShmT6MkA
cuHb/WDD1r2/t5WIthoixnq0gQi1NNBFx35ZTJiRx2oXc7FC8fa+IELRjeDAWh8X
ZPeGU153cJGWxOmkq0/tW7PM9X/JoByQKxDLJ908E/XcUGaL6Fgv2S71UeaIS+Q6
roH8OFHp+NJovbmVZJLa7Y1rNznRYH/gMgqQ4jOM7o7StCcNEYC5JDEVoXyqYWPr
4MaRXOZw4SIgZiT8pmguTpKiwTSyBXmfE4L4q7VGv0IPORMqG/0C3hjXki3dzriY
mFQQ6LrOy42wJ0jnPOQ98XWQK6ASR4lnYqHlNiM5kGowcsBznslvOzABx8G3bF1V
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Toronto/O=Tucows, Inc./CN=*.opensrs.net
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3443 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
    Session-ID: 59AA9115520F3D10BD86BD3DF6DB4EA996FDB3851301112B349744210015BBC2
    Session-ID-ctx: 
    Master-Key: 10ECC1BC594B8DB568D006B34C3D14DDDBEEB303CA20969F9C3D2E17CD98EBDAB088EDD328D84EBA332C26D4426E0415
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1456503963
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

If you don't get the above result, instead you have:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

HRS Customers: this probably means you're not whitelisted at OpenSRS also. Please provide us with the output from the test commands.

Or if you have:

connect: Connection refused
connect:errno=111

HRS Customers: This means that the port isn't open at all. Please provide us with the output from the test commands.

Try sending a simple XML command:

openssl s_client -connect rr-n1-tor.opensrs.net:55443
# Now paste the following:
POST / HTTP/1.0
Content-Length:505
Content-Type: text/xml
X-Username: test
X-Signature: c9fd4c8fde71912c63cc4ba83bbb6bc1

<?xml version='1.0' encoding='UTF-8' standalone='no' ?>
<!DOCTYPE OPS_envelope SYSTEM 'ops.dtd'>
<OPS_envelope>
<header>
    <version>0.9</version>
</header>
<body>
<data_block>
    <dt_assoc>
        <item key="protocol">XCP</item>
        <item key="action">LOOKUP</item>
        <item key="object">DOMAIN</item>
        <item key="attributes">
         <dt_assoc>
		<item key="domain">acmeinc.biz</item>
         </dt_assoc>
        </item>
    </dt_assoc>
</data_block>
</body>
</OPS_envelope>

# You may need to press Ctrl + D

If you get this response:

<?xml version='1.0' encoding="UTF-8" standalone="no" ?>
<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">
<OPS_envelope>
 <header>
  <version>0.9</version>
  </header>
 <body>
  <data_block>
   <dt_assoc>
    <item key="protocol">XCP</item>
    <item key="response_text">Connection refused: invalid ip address [123.123.119.150]</item>
    <item key="action">REPLY</item>
    <item key="response_code">555</item>
   </dt_assoc>
  </data_block>
 </body>
</OPS_envelope>read:errno=104

This means the OpenSRS/HRS API is responding to you but your IP address is not whitelisted within SRS/HRS.