OpenSRS API Guide: Domains and SSL

Welcome to the OpenSRS API guide. Here you will find comprehensive documentation regarding our domain and SSL services. We hope this guide will help you start working with OpenSRS as quickly as possible. If you have any questions or concerns, please do not hesitate to contact [email protected]

Get Started

Troubleshooting HTTPS Post

401 Authentication Error

  • Check that you are using the correct API Key for each system – Production or Horizon. The private keys are different in both systems and will need to be retrieved from each system individually.
  • Check that you have the correct RSP username.
  • Check that the IP address of the machine transmitting the data to the OpenSRS server is in your list of allowed IP addresses in the Reseller Web Interface.



IP changes take up to 15 mins to take affect.

If the above checks are correct, check the MD5:

  • Ensure that you have concatenated the XML content and the Private Key
  • Ensure that you have performed an MD5 twice. See the MD5 section for more information.
  • Ensure that your HTTP Post implementation is not adding any extra information. Some implementations of HTTP Post add a NULL to the end of the HTTP Request. This is reflected in the MD5 and causes an authentication error.
  • Ensure that the result is in lowercase before sending it to OpenSRS. Some MD5 algorithms put the MD5 hash in uppercase.
  • Some MD5 algorithms need to convert the string to bytes before generating the hash. Make sure this is done properly. You can test your script by performing an MD5 on the following text:
    Text: ConnecttoOpenSRSviaSSL

MD5 Result: e787cc1d1951dfec4827cede7b1a0933

Invalid XML Response

Make sure you are sending the XML. The XML used in the MD5 is only for authentication purposes. You must also send the XML as part of the content header.

Further troubleshooting

If you are still having issues connecting to our API or even the web interface, please run these commands from the server/computer you are connecting from and email the output to OpenSRS support.

The XML API port is 55443

Commands to run

curl http://icanhazip.com/s/ OR wget -q -O - http://icanhazip.com/s/
ping rr-n1-tor.opensrs.net
traceroute rr-n1-tor.opensrs.net
openssl s_client -connect rr-n1-tor.opensrs.net:55443


HRS customers:

Be sure to replace rr-n1-tor.opensrs.net with the API URL that was provided to you.

What we are testing for

The curl and the wget commands are to obtain the IP address of the computer/server that you are connecting from. Depending on what is enabled on your computer/server, one of the commands should return the IP address. This step is to verify that the IP address returned is the same one whitelisted in in the Reseller Control Panel.


HRS Customers:

Whitelisting an IP in your own HRS instance is not enough. You will also need to contact OpenSRS Support to be whitelisted in our firewall.

ping rr-n1-tor.opensrs.net
PING rr-n1-tor.opensrs.net ( 56(84) bytes of data.
64 bytes from rr-n1-tor.opensrs.net ( icmp_seq=1 ttl=253 time=1.38 ms

If the ping doesn't work

There is likely a problem with your network. It's highly unlikely that the OpenSRS API isn't reachable.

HRS Customers: It's possible that the external connections have not been opened and this might be a firewall related. Send us a trace route:

traceroute rr-n1-tor.opensrs.net
traceroute rr-n1-tor.opensrs.net

traceroute to rr-n1-tor.opensrs.net (, 30 hops max, 60 byte packets
 1 (  0.881 ms  1.227 ms  2.712 ms
 2 (  0.784 ms  0.768 ms (100
15 ... rr-n1-tor.opensrs.net (  29.723 ms  29.694 ms  29.604 ms

Are you able to connect to the API host/port ?

openssl s_client -connect rr-n1-tor.opensrs.net:55443
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
 0 s:/C=CA/ST=Ontario/L=Toronto/O=Tucows, Inc./CN=*.opensrs.net
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Server certificate
subject=/C=CA/ST=Ontario/L=Toronto/O=Tucows, Inc./CN=*.opensrs.net
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
No client certificate CA names sent
SSL handshake has read 3443 bytes and written 637 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
    Session-ID: 59AA9115520F3D10BD86BD3DF6DB4EA996FDB3851301112B349744210015BBC2
    Master-Key: 10ECC1BC594B8DB568D006B34C3D14DDDBEEB303CA20969F9C3D2E17CD98EBDAB088EDD328D84EBA332C26D4426E0415
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1456503963
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

If you don't get the above result, instead you have:

no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 295 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

HRS Customers: this probably means you're not whitelisted at OpenSRS also. Please provide us with the output from the test commands.

Or if you have:

connect: Connection refused

HRS Customers: This means that the port isn't open at all. Please provide us with the output from the test commands.

Try sending a simple XML command:

openssl s_client -connect rr-n1-tor.opensrs.net:55443
# Now paste the following:
Content-Type: text/xml
X-Username: test
X-Signature: c9fd4c8fde71912c63cc4ba83bbb6bc1

<?xml version='1.0' encoding='UTF-8' standalone='no' ?>
<!DOCTYPE OPS_envelope SYSTEM 'ops.dtd'>
        <item key="protocol">XCP</item>
        <item key="action">LOOKUP</item>
        <item key="object">DOMAIN</item>
        <item key="attributes">
        <item key="domain">acmeinc.biz</item>

# You may need to press Ctrl + D

If you get this response:

<?xml version='1.0' encoding="UTF-8" standalone="no" ?>
<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">
    <item key="protocol">XCP</item>
    <item key="response_text">Connection refused: invalid ip address []</item>
    <item key="action">REPLY</item>
    <item key="response_code">555</item>

This means the OpenSRS/HRS API is responding to you but your IP address is not whitelisted within SRS/HRS.

Updated about a year ago

Troubleshooting HTTPS Post

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.