Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Update SSL and Webhooks stops sending requests

Started by Steven Schmidt -   in API Authentication

Hi all,

I have a strange problem which I am scratching my head a bit with.

I have an application written in PHP and served up off Ubuntu/Apache.
All has been working great. I had a LetsEncrypt cert loaded and could exchange information with Xero no probs as well as Webhooks sending callbacks. All was fine.

I decided to get a 4 year Comodo cert for the domain. Created and loaded it on the website.
Again, no problems. Site shows new cert in use and working great.

Updated the APP details with the new cert. I can connect from my app to Xero no probs but Webhooks fails and doesn't even show signs in my webserver logs of trying to connect.
Deleted the APP and recreated, updated all keys etc. but get the same result.
Reloaded the new webhook key and details including double checking the URL for notifications.
Even tested the URL to make sure it was hitting the endpoint and ensuring it appeared in the logs ok.

All appears correct.
- Cert is loaded on site no probs so is valid.
- My outgoing request to Xero from my app works fine (Uses the same cert)
- The notify URL is correct.

But, when trying to process ITR, Webhhook status is "Failed to respond in timely manner" but I don't see any attempts to connect in my apache logs.

Am I missing something here??

The cert is loading on the site fine and I can make outgoing calls to Xero no probs.
Is it a case of waiting for a cache somewhere to expire? (Although I have deleted the app def all together)

Any ideas would be much appreciated.

Ok, the x509 cert does not appear to support remote identity even tho the product said it does. Sorted.

FYI for anyone else.
Certificate Information should say "Ensures/Proves the identity of a remote computer".

Steven Schmidt  

Hi Steve

I have the exact same problem. However, I don't understand how you sorted it - could you spell it out?


Kevin Comer  

Hi Kevin,

Turns out basically not all x.509 certs are the same. There are a few different function variations. I basically had the wrong one.

The crux of the problem is the server and organisation needs to be verified.

Cert needs to support
- Ensures the identity of a remote computer
- Proves your identity to a remote computer

Which is usually the mid range certs from providers. I'm using Comodo certificates and originally used InstantSSL but had to move to PositiveSSL which meant I had to validate me/company as well. Wasn't that hard but still a pain.

If you right hand mouse button of the lock in the URL address field that indicates the secure cert it will show you in there the capabilities of the cert you have loaded.

I would put in a screen shot but the forum doesn't allow pictures so hope this makes sense.


Steven Schmidt  

Thanks, turns out there was nothing wrong with the certificate. The Webhook posts were failing 419 (CSRF), I had turned off the wrong URL. All good now

Kevin Comer