Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

SSL certificate validation issues

Started by Ronan Quirke (Community Manager) -   in API Authentication

We have recently been made aware of some issues relating to validation of the SSL certificates presented by the Xero API.

We have provided a detailed explanation of this issue, and this thread is open for anyone to ask questions and share knowledge that might be useful for other developers.
How about private applications? Any instructions on how to resolve issues with those?
 

Simon Coulton  

The instructions post will work with all types of applications. The important aspect is not the type of application (private, public or partner), but the underlying programming language or operating system.

Any info you have on the exact error and what language & system it is running on will help.
 

Ronan Quirke (Community Manager)  

Replied via email, the forum won't let me post any source code for some reason.
 

Simon Coulton  

Any chance Xeroizer would have this issue and that it's been an issue since mid Feb?

I'm a newbie trying to get a small test public app up but getting 403's when hitting the authorize address with an oauth token since about mid-Feb.

Have logged an issue in Xeroizer github to confirm, but if anyone can confirm/deny this would be an issue it might save me some grey hairs.

Edit: Def not Xeroizer, was my own code; so please ignore ;)
 

Liam Smith  

After some investigation over the weekend, upgrading requests to 2.5.3 seems to resolve the issue. See modifications in the changelog here: https://github.com/kennethreitz/requests/blob/master/HISTORY.rst#253-2015-02-24
 

Simon Coulton  

This is now happening on heroku, where updating openssl with an extra root cert may be rather involved.

Is there a way to provide an alternative SSL endpoint with a SHA2-signed server cert chain?
 

Dimitris Kogias  

@Dimitris - you should not have to update OpenSSL itself - it generally has an option for a custom ca file which you can reference off your own repository codebase without having to do anything too involved, though I am not familiar with how heroku works in this regard.

We are looking at setting up a new domain name with the API running on it and a sha2 cert on it, but this will take at least a week or more to arrange so could not be relied on for an immediate solution.

What language are you running on Heroku?
 

Ronan Quirke (Community Manager)  

@Ronan, in this case it's the oauth gem inside a Rails app.
 

Dimitris Kogias  

@Ronan: Deployed a kludgey workaround. I'll watch this thread for the new endpoint.
 

Dimitris Kogias  

@Ronan, @Dimitris:

We are having exactly the same problem with our app hosted on Heroku ( OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed ), we are using the following gems:

gem 'omniauth', '~> 1.2.2'
gem 'omniauth-xero', '~> 1.0.0'

Just wondering before the the new endpoint is released, what's the short term solution to this.

Thanks a lot!

 

Li-Tung (Soloman) Weng  

@Li-Tung: See this thread: https://github.com/intridea/omniauth/issues/404

I ended up doing something similar, but with the oauth gem, passing the Entrust cert chain referenced here:

https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know

to the consumer constructor.
 

Dimitris Kogias  

Any updates? April 11th. I'm setting up a new app and getting the same error. The Devise Oauth wiki solution doesn't work; neither does using the Certified Gem. We're a ROR site hosted on Heroku.
 

Doug Harman  

@Doug Harman, we have applied the ca-bundle.crt included in https://github.com/XeroAPI/XeroOAuth-PHP to our omniauth config. The solution works for our rails app on Heroku.
 

Li-Tung (Soloman) Weng  

@Li-Tung (Soloman) Weng - Thank you for responding. I'm just now returning to this. How did you apply the ca-bundle.crt from XeroAPI/XeroOAuth-PHP to your omniauth config? Did you modify the gem? Add to the Heroku SSL certs? Or reference in the omniauth initializer? Thanks, Doug
 

Doug Harman  

@Doug Harman, so what we have done is include the certs file in config/certs/ca-bundle.crt, and then include client_options -> ca_file in the omnioauth initializer for the Xero provider. Sorry, I can't really paste ruby code in this web form, it doesn't let me do it....
 

Li-Tung (Soloman) Weng  

@Doug Harman:

client_options: { ca_file: <ca-bundle.crt> }
 

Li-Tung (Soloman) Weng  

@Li-Tung (Soloman) Weng Got it. Thank you, Doug
 

Doug Harman  

Hi Ronan,
Does C# Xero-Net or XeroAPI.Net library support SHA2?
 

Tung Nguyen  

@Tung - it should do, but SHA2 is not related to the code samples themselves, but the operating system and what libraries it has to communicate over SSL. In the case of the Windows OS, if it can run the Xero-Net SDK, it should not have an issue communicating over SSL SHA2.
 

Ronan Quirke (Community Manager)  

Thanks Ronan. Currently, we are using XeroApi.NET SDK. When i looked at the source code, for Signagure Method, there is no RSA-SHA2.

public static class SignatureMethod
{
public const string HmacSha1 = "HMAC-SHA1";
public const string PlainText = "PLAINTEXT";
public const string RsaSha1 = "RSA-SHA1";
}
So look like this SDK does not support RSA-SHA2?
 

Tung Nguyen  

@Tung - you have misunderstood what this refers to. This is in relation to communications over SSL to our servers - it does not relate to the signing methods in the code itself, which relates to OAuth. I appreciate this is a little confusing.

The fact the XeroAPI.Net SDK does not have a signing method is not indication of an issue.

I recommend waiting for us to publish the test URLs (which we will be sending an email about also), and then check if everything works ok (it most likely will).
 

Ronan Quirke (Community Manager)  

Thanks Ronan! I would wait for that.
 

Tung Nguyen  

We’re approaching launch of bastute.com and discovered that Xero SSO isn’t working. SSO was working - in early May - following the advice of Li-Tung (Soloman) Weng in the Community (see post of April 30th, above).

Since then, our Xero trial expired. Does that make a difference?
Or is this related to the ongoing SHA issue? We are using https on the site and sub-domain.

Here are the errors...

In the browser a flash message:
Could not authenticate you from Xero because "Service unavailable”.


In the logs:
ERROR -- omniauth: (xero) Authentication failure! service_unavailable: OpenSSL::SSL::SSLError, SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
 

Doug Harman