Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

SHA2 Migration: help thread

Started by Ronan Quirke (Community Manager) -   in API Authentication

We recently announced details of our migration plans to SHA2 SSL certificates on the API websites.

If you have tried the test URLs for SHA2 type certs and have encountered issues you need assistance on, please ask below.

It is helpful if you provide some details like:
  • Programming language you are using
  • Operating system
  • The name of any SDK / wrapper library you are using
  • Details of any errors you are encountering


More in-depth guidance on specific languages

(we will add to this as we get them for different languages)
Hi,

As per XERO suggestions on https://developer.xero.com/sha2-ssl-cert-migration-advisory-notice/?utm_source=Xero&utm_medium=edm&utm_campaign=terms-migration&utm_term=dev-email1&mkt_tok=3RkMMJWWfF9wsRonvKzKZKXonjHpfsX87uguUaC2lMI%2F0ER3fOvrPUfGjI4CTcthI%2BSLDwEYGJlv6SgFS7DMMbJz3rgMWhI%3D , I changed the URL to https://sha2-api-partner.network.xero.com/oauth/RequestToken which I use for user authorization/login to XERO and token creation for my app.

I received the error on browser as "HTTP Error 403.7 - Forbidden
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes."

I am using C#,.NET on Windows 7 (local development) and Server 2008(for Production) for my app integration with XERO. Can you suggest me the steps to follow to resolve this issue?

Also, do I need to renew my OpenSSL or Entrust certification?
The XERO library which I use has the code like

"SignatureMethod = SignatureMethod.RsaSha1,"

Do I need to apply some other Signature method though only enumeration options available are HmacSha1 = "HMAC-SHA1";PlainText = "PLAINTEXT"; RsaSha1 = "RSA-SHA1" ?

Please guide me more on this and where I can find the new XERO code library (if I need to make changes.).

Please suggest.

Thanks for your help in advance.
 

Mark Lazarus  

Hi @Mark

If you are using the Xero-Net library, you should have an App.config file similar to this one.

If you change the URL values there and run your code, you should then see it in action.
To clarify, the only place you need to change anything is those URLs. Signature methods, OpenSSL and Entrust certs all remain unchanged.

Let us know how you get on.
 

Ronan Quirke (Community Manager)  

Hi There

I am getting the same drama as Mark. We are on the partner scheme, I have swapped out the URLS and get a 403.7 forbidden.

We are using PHP with the OAuthSimple.php script

Chris...
 

Chris Maffey  

@Chris - it sounds like you haven't just added 'sha2-' to the start of all the urls but have changed the value of the 'authorize_url' parameter incorrectly. It should be:
'authorize_url' => 'https://sha2-api.xero.com/oauth/Authorize'

I've added examples for both types of applications here.

Let me know if that doesn't help....
 

Ronan Quirke (Community Manager)  

I am still not able to figure this out. I am using the old XERO library downloaded from XERO about 2 years back (not the MVC demo apps mentioned on link above) and I believe I replaced all URL properly. Still figuring this out with no luck so far.

Can you suggest more on migration part? Which type of migration is this? Does this relate to certificates or with the algorithms/encryption keys only? Please suggest.

Thanks,
Mark
 

Mark Lazarus  

Hi Ronan

Thanks heaps. I had cocked up and put a partner URL in the authorise URL bit. Works now, here is my code in case it helpful to others:

Commented out bit is existing settings, the other bit is the temporary sha2 settings

/*
static $xero_defaults = array('xero_url' => 'https://api-partner.network.xero.com/api.xro/2.0',
'site' => 'https://api-partner.network.xero.com',
'authorize_url' => 'https://api.xero.com/oauth/Authorize',
'accesstoken_url' => 'https://api-partner.xero.com/oauth/AccessToken',
'signature_method' => 'RSA-SHA1');
*/


static $xero_defaults = array('xero_url' => 'https://sha2-api-partner.network.xero.com/api.xro/2.0',
'site' => 'https://sha2-api-partner.network.xero.com',
'authorize_url' => 'https://sha2-api.xero.com/oauth/Authorize',
'accesstoken_url' => 'https://sha2-api-partner.network.xero.com/oauth/AccessToken',
'signature_method' => 'RSA-SHA1');
 

Chris Maffey  

I figured this out at my end now and able to connect to https://sha2-api.xero.com/oauth/Authorize

@Ronan, I am able to connect with API now though if I make a request to https://sha2-api-partner.network.xero.com/Organisation , I receive a HTML response not the XML. I believe, this is because https://sha2-api-partner.network.xero.com/ is only for test and not fully operational and the issue will be resolved as soon as the XERO new API comes into existence? Please confirm.

Thanks again for your help. @Chris, you too.
 

Mark Lazarus  

I'm seeing something odd when I inspect the certificate on sha2-api.xero.com. The output from this:

echo "GET /" | openssl s_client -debug -connect sha2-api.xero.com:443 > /tmp/cert

...shows me an AES128-SHA certificate, not a SHA2 certificate. What's up with that?

Gist of the output: https://gist.github.com/fimmtiu/930615a9be5f89cb3ece
 

Dennis Taylor  

@Mark - glad you are almost there! If you are getting as far as you are, then the SSL connectivity is OK. The site should be fully functional, but the fact you have made a successful connection is validation enough.

@Dennis hmm, I'm not an expert, but I think that is the cipher rather than the cert.

Checking on a few sites, it looks good:
http://sha1affected.com/results?server=sha2-api.xero.com
https://www.ssllabs.com/ssltest/analyze.html?d=sha2-api.xero.com&hideResults=on

Note we do have work still to do to enable TLSv1.2 on the sites next week also - not sure if that affects what you are seeing.
 

Ronan Quirke (Community Manager)  

Hi @Ronan,

Thanks for the confirmation on API functionality. All the issues are sorted at my side now and I am able to retrieve data from current live API and from "Sha-" api both in normal procedural way.

Thanks to others as well.

 

Mark Lazarus  

Hi,
we are on partner scheme. As per the cert migration advisory notice, we tried changing in the following xeroizer library
https://github.com/waynerobinson/xeroizer/blob/master/lib/xeroizer/partner_application.rb
from
line no.21 to 26
default_options = {
:xero_url => 'https://api-partner.network.xero.com/api.xro/2.0',
:site => 'https://api-partner.network.xero.com',
:authorize_url => 'https://api.xero.com/oauth/Authorize',
:signature_method => 'RSA-SHA1'
}

to

default_options = {
:xero_url => 'https://sha2-api-partner.network.xero.com/api.xro/2.0',
:site => 'https://sha2-api-partner.network.xero.com',
:authorize_url => 'https://sha2-api.xero.com/oauth/Authorize',
:signature_method => 'HMAC-SHA2'
}

And when we tried our already working API calls we were getting this error.
OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed:

Our system specification:
Programming language: Ruby.
OS: OS X Yosemite.
SDK/library: Xeroizer gem.


Thanks,
Balaji.
 

Balaji RK  

Hi,
I changed the URL's in my application to use SHA2 SSL certificates, and it worked perfectly.
I have couple of doubts,
1. Does it affect the users who are already connected to xero? will they be disconnected? I read in the migration notice that they might get disconnected.
2. Also its mentioned that the SHA2 URL's (https://developer.xero.com/sha2-ssl-cert-migration-advisory-notice/#test) will be retired on April 2016, does it mean that SHA2 URL's will change after that?
3. Is there any other process that we need to follow apart from just swapping the URL's


Thanks
Chethan K
 

Chethan K  

If you're using xeroizer, you need to update the ca-certificates.crt file which comes bundled in the xeroizer library. There's a pull request open for it already; go there and add a comment if you'd like to see it merged.

https://github.com/waynerobinson/xeroizer/pull/258
 

Dennis Taylor  

Hi Dennis,
I am using PHP library for working with the Xero OAuth API.
 

Chethan K  

@Dennis- Many thanks for the speedy response.
Is updating the ca-certificates.cert is the only thing we need to do for SHA2 migration or we need to change all api-partner.xero url's to sha2-api-partner.xero.

Thanks,
Balaji
 

Balaji RK  

As I understand it, the sha2-api.xero.com URLs are just for testing the SHA2 stuff. Updating the xeroizer certificates file should be all you need to do -- but it wouldn't hurt to test it against one of the sha2 hosts to be safe.
 

Dennis Taylor  

@Dennis- Thank you very much.
 

Balaji RK  

Using PHP and XeroOAuth on a Ubuntu server (14.04)

Working fine with SHA1, changed the URLs in our private application, getting a 401 response-

oauth_problem=signature_invalid&oauth_problem_advice=Failed%20to%20validate%20signature

I've only changed the urls as advised, keep getting this message. Where do I go from here?
 

Joseph Brandon  

It appears that my problem is unrelated to the sha2 urls, but something to do with the development server. I will reply again if there are still problems.
 

Joseph Brandon  

Hi,

having some issues with an internal site that we are testing on before we test on some of our live sites. Currently using PHP with the Xero Oauth class, version May 2012. Have tried swapping the ENDPOINT const to the new sha2 test url, but when trying to process a request, we are just getting this as a result to the $xero->Invoices() call:

string(5) "
"

Should I be looking anywhere else to change this?
 

Owen Hardman  

@Joseph - yes, if you are getting as far as the server itself, even an OAuth error, that means you are at least communicating, which is the main thing to check for SHA2 readiness.

@Owen - it has been a long time since I took a look at the PHP-Xero library, but yes, swapping out the ENDPOINT constant should be all you need to do. It worked OK for me. I recommend you check your PHP error logs for more detail, you could have a problem.
 

Ronan Quirke (Community Manager)  

Thanks Ronan, that message was from one of our developers who is out today, will get him to follow up when he's back in the office if he needs any further.
 

Owen Hardman  

Hi,
We've just tested SHA2. Using
- Node with Express
- Ubuntu running on Heroku
- the wrapper library is Request

We've changed the URLs to use the SHA2 URLs. But, we've left the library to use the SHA1 settings. Thus,
{ request: ...
{ uri: 'https://sha2-api-partner.network.xero.com/api.xro/2.0/Users?where=xxx',
method: 'GET',
headers:
{ 'User-Agent': 'Tripcatcher partner',
...
oauth_signature_method="RSA-SHA1",
...} } }
We're passing an oath_signature_method of RSA-SHA1, so I was expecting it to fail. The response from Xero is a 200 and it all works. Would you expect it to fail? Or am I missing something?

thanks
Ken
 

Ken Whipday  

Hi,
I am using xeroizer partner application and I updated the ca-certificates.crt file which comes bundled in the xeroizer library. It's working the same as before.

But, I changed the api urls to sha2-api urls and tried the same I am still getting the error.

OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed:

what should I do?

Thanks,
Balaji
 

Balaji RK  

Have just tried the change-over to the new API by changing the URL.
As I expected, this does break the system :-(
We use a development tool called Clarion and therefore don't use any of your standard libraries.
Questions:
1) Do we need new privatekey.pem?
2) What is the minimum version of OPENSLL.EXE that is required?
3) We call OPENSLL.EXE with "dgst -sha1 - sign" parameters. Does this need changing?
4) The URL called witll still have "oauth_signature_method=RSA-SHA1" ?

Anything else you need to know? Look forward to your assistance!

Regards, Marcel
 

Darryn Crothall  

@Ken, great to hear that the switchover worked for you, by leaving your oauth_signature_method as RSA-SHA1 we wouldn’t have expected it to fail, the change to SHA2 is only for the Entrust client SSL certificate, there is no change for the signing process.
 

James Coleman (Community Manager)  

@James,
Thanks for clarifying that.
cheers
Ken
 

Ken Whipday  

Hi,
We have made the changes to test the SHA2 but have the following issues:
1. Seems to work but then gets Curl error: Could not resolve host: sha2-api.xero.comapi.xro. We assumed that the test URLs should be fully functional?

2. Just to confirm, the signature Method remains unchanged (RSA-SHA1) ?

Thanks
Brett
 

Developer DotPerformance  

We are using the old XeroApi .Net Wrapper from March 2014. With that assembly, we have never had any entries in web.config specifying the base url. We always assumed that the urls were hard-coded in the assembly. When using the old wrapper, how do we set the urls to the sha2 test end points?
 

CoConstruct Developer  

Hi,

Our partner application is able to connect to the sha1 endpoints, but when I switch to the sha2 endpoint (more specifically, https://sha2-api-partner.network.xero.com/oauth/RequestToken) I get an SSLHandshakeException (unable to find valid certification path to requested target). What am I missing?

 

Adrian F  

@Brett

The test URLs are fully functional and I was getting 200s of it. Please make sure you have the correct URL. It looks like you might be using the PHP wrapper. Have you seen this?

The oauth_signature_method should remain the same. Please see James' response from the 22 December.

Thanks Phil
 

Phil Alsford (Xero Staff)  

@Michael Kittel

We have started a new discussion here specifically for users of the old .Net wrapper Nuget
 

Matthew Mortimer (Xero Staff)  

Hi,
I am using xeroizer gem and we are on partner application scheme and I updated the ca-certificates.crt file which comes bundled in the xeroizer library. All API calls working the same as before when I use the OLD API endpoints.

But, when I changed the api urls to sha2-api-partner and sha2-api urls and tried the same I am getting this error.

OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed:

Any Solutions?

Our system specification:
Programming language: Ruby.
OS: OS X Yosemite version - 10.10.5 (14F1021).
SDK/library: Xeroizer gem.


This is a screen shot of xero_client object I built.https://drive.google.com/file/d/0B6QqPlEaCUkQVzJON1lucjFmUFU/view?pref=2&pli=1

Thanks in advance,
Balaji
 

Balaji RK  

Hi,

Can you please confirm that the SHA1 to SHA2 change has been implemented two days ahead of schedule. My customer is advising of business impact and expect I'll be able to resolve it after business hours .

Cheers,

Jamie Nicholson
 

Jamie Nicholson  

Hi. I get a 401 error when I try either of the following endpoints for our private application:

https://sha2-api.xero.com/
https://sha2-api.xero.com/api.xro/2.0/

Is this expected?

Our application uses Scala with the com.connectifier.xero.XeroClient class.

Scala v2.11.7
Play 2.3.9
JRE 1.8.0_51

Thanks,

Nick
 

Nick Jacobs  

Hey Nick,
Are you including and specific Endpoints on the end of those urls or are you just calling those urls directly?
Cheers,
Matt
 

Matthew Mortimer (Xero Staff)  

For example I tried https://sha2-api.xero.com/Organisation and I got a 401.
 

Nick Jacobs  

Hi, For what its worth - this migration solves an issue Debian users will hit - the old sha1 certificate is considered invalid by newer openssl versions as its not secure. Being able to point my application at the new urls has solved a certificate invalid error I started hitting a week or two ago.

 

Damian Dimmich  

And you also received a 401 on https://sha2-api.xero.com/api.xro/2.0/organisation?

Were you still supplying the correct OAuth authentication?
 

Matthew Mortimer (Xero Staff)  

However Nick, as your calls were reaching Xero's api and failing on our servers with oauth issues, your application would have made it past any blockers caused by uncooperative sha2 certs and I expect you won't see any issues with the switchover.

Cheers,
Matt
 

Matthew Mortimer (Xero Staff)  

Hi Matt. Once I added "/api-xro/2.0/", it worked. Thanks!
 

Nick Jacobs  

@Balaji this looks like it might be an issue with your system or setup rather than the Ruby wrapper. Have you tried a few of the responses from here?

http://stackoverflow.com/questions/4528101/ssl-connect-returned-1-errno-0-state-sslv3-read-server-certificate-b-certificat

Hope this helps
Phil - API Team
 

Phil Alsford (Xero Staff)  

Hi
Can I know at which exact time Xero is updating the live servers,
So we plane our release accordingly
Thanks
 

Asim Ali  

Hi @Asim.

The best solution would be to make sure your application and environment is able to handle the SHA1 and SHA2 certificates.

Make sure you have tested using the TEMPORARY SHA2 Urls.

If you application and environment can handle both SHA1 and SHA2 then there should not be an issue when we make the change.

Hope this helps
Phil - API Team
 

Phil Alsford (Xero Staff)  

Thanks Phil
 

Asim Ali  

It tested my code after pointing to sha2 urls,
$this->_xero_defaults = array (
'xero_url' => 'https://sha2-api-partner.network.xero.com/',
'site' => 'https://sha2-api-partner.network.xero.com',
'authorize_url' => 'https://sha2-api.xero.com/oauth/Authorize',
'signature_method' => 'RSA-SHA1'
);
and I was able to connect to Xero and get requests,
Few assumption:
1. Can I assume, SHA2 only accepts SHA2 ?
2. If my library fails to connect to SHA2 does it mean I have to change library or certificates
that was not the case as I used standard Xero provided library.
3. After reading the thread I think its all I need to check if my current setup supports SHA2 and if it does I don't need to make any modification in my code or keys and I am both SHA1 and SHA2 compliant.
Please confirm.

 

Asim Ali  

Hi Asim.

If all you did was swap the Urls to a SHA2 URL and successfully make a GET then that's it.

Our temporary SHA2 URL only presents a SHA2 SSL cert and was set up for testing.

So from what you have said it sounds like you are SHA2 ready and nothing else is required.

Let me know if you have any other questions.

Thanks Phil
API - Team
 

Phil Alsford (Xero Staff)  

Thanks Phil
 

Asim Ali  

Thanks Phil. Just tested using a simple authentication and a GET(contact) request. Seems to be working fine.
 

Cherryl Bantilan  

Hi everyone,

Starting from today, my application can no longer post correctly to XERO. I always received the following:

Error Detail: I/O Exception: peer not authenticated.
Mimetype: Unable to determine MIME type of file.

I use ColdFusion XERO interface and everything was working fine until today.

However, in my local machine, where the application is not on a secured server, it still works fine.

My deployed application that makes the cfhttp calls is on a secure server (https). Can anyone gives me any help as to what I can do to get around this issue?

Thanks,

Ivan.

 

Christopher Eslick  

Hi Ivan

Are you able to check the differences between your local machine and your server. Is it the same OS etc?

My knowledge of Coldfusion is non-existent, so the amount of support I can offer may be limited.

Did your testing before today's change go successfully?

Thanks Phil - API Team
 

Phil Alsford (Xero Staff)  

Hi Phil,

The OS in my local machine has been updated to Windows 10 and I use CF9 development built in server.
In the production environment, I use IIS7 (windows may be slightly older).
The only difference I can think of is in my local machine my test application (that posts to XERO) is deployed in an http server (unsecured), while as in the prod environment, it's deployed in a secured server environment (https).

Any clue as to why it may be the case?

I even test to post from my production environment to my test XERO account (i.e. we use the same certificate file loaded to my test account in XERO) but it fails (where it works if I run the copy of the production locally and post an invoice to my test XERO account).

Thanks for your help,

Ivan.
 

Christopher Eslick  

Hi Ivan

It looks like your production environment is not set up to handle the SHA2 SSL cert that is now presented by the API.

This PR into the Ruby wrapper may offer some help. https://github.com/waynerobinson/xeroizer/pull/283

Thanks Phil
API - Team
 

Phil Alsford (Xero Staff)  

Hi everyone, nightmare scenario for me by the looks.

I have just taken over development of an app that posts to Xero and it has just started giving the error "oauth_problem=token_rejected&oauth_problem_advice=The%20access%20token%20has%20n
ot%20been%20authorized%2C%20or%20has%20been%20revoked%20by%20the%20user"

I am afraid I don't really understand the concepts like you guys and am unsure where to start. First question that would be really helpful I guess is given that this started happening 3pm today, is this message likely to be to do with this SSL Cert Migration? If so are we saying I need to generate a new certificate?

We are using nuget Xero.API.SDK.Minimal v 2.0.19.

Any assistance for an authentication newbie would be greatly appreciated!

regards,
Paul.
 

Paul Ritchie  

Hi everyone, nightmare scenario for me by the looks.

I have just taken over development of an app that posts to Xero and it has just started giving the error "oauth_problem=token_rejected&oauth_problem_advice=The%20access%20token%20has%20n
ot%20been%20authorized%2C%20or%20has%20been%20revoked%20by%20the%20user"

I am afraid I don't really understand the concepts like you guys and am unsure where to start. First question that would be really helpful I guess is given that this started happening 3pm today, is this message likely to be to do with this SSL Cert Migration? If so are we saying I need to generate a new certificate?

We are using nuget Xero.API.SDK.Minimal v 2.0.19.

Any assistance for an authentication newbie would be greatly appreciated!

regards,
Paul.
 

Paul Ritchie  

Hey Paul,

The issue you are seeing will not be as a result of the SHA2 SSL upgrade. This page in our docs has some information for your issue that will hopefully be a good starting point. The example at the top of that page sounds like the issue you are having.

Cheers,
Matt
 

Matthew Mortimer (Xero Staff)  

Hi Phil,

I'm still unable to solve the issue so my customer are still unable to export to xero :(
Network sniffing shows that this is the response that I get.

Body
ErrorDetail String I/O Exception: peer not authenticated
Mimetype String Unable to determine MIME type of file.
Statuscode String Connection Failure. Status code unavailable.
Filecontent String Connection Failure
Any clue as to what I should fix?

Thanks

Ivan.
 

Christopher Eslick  

Hi Ivan

Would doing something like this help: http://www.experts-exchange.com/questions/27665589/CFHTTP-I-O-Exception-peer-not-authenticated.html

Did the link to the PR into the Ruby wrapper give you any clues around importing certs?
 

Phil Alsford (Xero Staff)  

Hi Phil,

Thanks for your response.
I guess it has something to do with importing the certificates into my CF9.
What certificates do I need to import for this update?
Do you know?

Cheers,
Ivan.
 

Christopher Eslick  

Hi Ivan

Have you tried importing the cert mentioned in the PR linked above?
 

Phil Alsford (Xero Staff)  

Hi Phil,

Yes I have just import the first certificate ("entrust_g2_ca.cer") from https://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/ into my CF9 and I still get the same error?
What's the certificate that I need to import to enable the communication (so that I/O Exception peer is not authenticated to go way)?

Cheers,
Ivan.

 

Christopher Eslick  

Hi Matt,

Thanks for your help. Turns out someone else changed the rights of the user under which the Consumer Key and Secret were created, thereby invalidating those values. Sure enough when I looked under the OAuth Credentials for the application they were empty with the message: "This application has been de-authorised. Please re-generate the key and secret to authorise the application.".

I did this and all is working again. Hopefully this helps someone else.

regards,
Paul.
 

Paul Ritchie  

Hi,

just recently, https://sha2-api.xero.com is not accessible.

regards,
db
 

Dale Barraca  

Yes, https://sha2-api.xero.com is not accessible. Is it conceptional? Where can I find info about it?
 

Aron Budinszky  

Hey Dale, Aron,

The sha2 migration was completed a little while ago, and so those temporary URLs have been decommisioned.

If your connection works against the Xero API now, then you will be good to go.

Cheers,
Matt
 

Matthew Mortimer (Xero Staff)  

Thanks Matt, appreciated it.

Cheers
 

Dale Barraca