I am trying to set up webhooks for Stripe. The webhook connects to https://authdomain.subd.com which then forwards the request (after adding a validation token) to http://www.workdomain.com
Both these urls are hosted on the same server.
Payment Intents generated from http://www.workdomain.com successfully go into Stripe.
(Update: I can also query run successful Stripe commands like \Stripe\Charge::all() from authdomain, which verifies that TLS 1.2 supported)
However the webhook returns a TLS error when trying to connect to https://authdomain.subd.com.
I have whitelisted Stripe's IP as listed here enter link description here
This process is working fine when I test it locally using a CLI, so I know I don't have to install Stripe on my auth layer project.
But for some reason when I try this on my live server it doesn't work on my live server.
Is there any reason this is happening?
Thanks for the help
This can be caused by any number of things, but the most common is an incomplete certificate chain. I'd recommend using Qualys' SSL Labs tool to check your server's TLS configuration. For example, to check the domain you shared:
https://www.ssllabs.com/ssltest/analyze.html?d=https://authdomain.subd.com&hideResults=on
If any of the intermediate chain certificates are marked as "missing" in this report, it can cause Stripe to refuse to connect to your webhook (as Stripe can't tie your TLS certificate back to a known global CA). Usually the fix is to download any missing certificates (the tool tells you which one) and add them to your production TLS configuration / bundle. You may need the help of your hosting company to configure this.
To test your repair, re-run the SSL Labs check after deploying the new certificate bundle and see if it's now resolved. Beyond that, if the problems persist I'd recommend writing Stripe support!
Related
I am working on some 3rd party integration project.
Created RootCA and SubCA from their official documentation website and after importing in windows server, we created key using openssl and got signed certificate from 3rd party integration Support team
We have configured in ldp.exe client and it got connected and fetched the dataset.
Now we are implementing in PHP code level.
We have:
IIS server 10
PHP 7.2
PHP Code is working in IIS
Added ldap.conf file created c:/openldap/sysconf/ldap.conf
TLS_REQCERT allow
#TLS_CACERT c:\openldap\sysconf\RootCaSha1.der
TLS_CACERT c:\openldap\sysconf\SubCaSha1.der
#TLS_CACERTDIR c:\openldap\sysconf
We have tried various paths and noted all evidence via wireshark tool
It says TLSv1.2 Alert (Level: Fatal, Description: Handshake Failure) so it means some certificate in ldap.conf are not as per requirement.
Looking forward to help in this regard so we can get connect.
Thanks in advance
As far as I know, the TLS handshake failure error commonly occurred when the server’s certificate is configured improperly. this should be configured on the IIS server-side. Please check the below items.
The account running the website is supposed to own the right of accessing the private key of the certificate. Firstly import the certificate to the Local machine Certification Store, under the property page of the certificate, grant the account access to the private key of the certificate.
Subsequently, we specify the certificate in the IIS site binding module.
Besides, Please note that the communication between the client-side and the server-side is established based on the fact that the client trusts the server certificate. this means that when we visit the website, the browser address bar has the sign of security lock. In this way, the public key of the certificate can be exchanged. The specific operation is to add the server root certificate to the Trusted Root Certificate Authority certification store of the client-side.
I have a problem connecting to the Fusio interface (api-manager). I installed it in ftp on a shared server. Until then everything is fine, the database is well updated and I have access to the fusio graphical interface. It is when I have to connect to the GUI that it is blocked. I enter my credentials and just after, an alert tells me: "Your connection to this site is not private".
Image of the second connection request
A little more details follow the comment #Luca Stucchi
I want to perform an installation using the mode: "installation script" (as explained in the documentation).
The API Manager is installed on a shared server, I can not use command lines.
This installation mode allows us to install via an ihm. During the installation, everything goes well. The database is well created and I have access to a login page.
But the problem starts now. When I enter my login information a pop-up appears, the message "Your connection to this site is not private" appears.
And I do not know how to avoid this popup blocking.
Why do you see the error
The error message "Your Connection is Not Private" is displayed for various reasons:
Invalid or non-trusted SSL certificate.
Time is not synchronized between the server and the client.
Issues related to browser cache.
AntiVirus/Proxy service blocking or interfering traffic.
Wrong DNS settings.
How to overcome
if it's a non-trusted SSL certificate: try to install it to your Trusted Root store.
invalid SSL certificate: if possible - re-create the SSL certificate on the server.
make sure that the SSL certificate it not already expired or that its validity starts in the future.
Sync your Clock on both sides (server and client).
Clear SSL state: open Internet Explorer -> Internet Options -> Content tab -> Certificates -> Clear SSL state button.
Clear browser cache (Cached images,Files, and Data)
Turn off (temporarly) your AntiVirus/Proxy.
Use some public DNS like google's (8.8.8.8 or 8.8.4.4).
source for most of the ideas.
P.S.
I'd suggest adding a code sample to get more precise answers...
Everything is setup and I have .well-known folder in my root directory with file.
My Stripe account is activated and my domain is added under Apple Pay tab.
Now when I enable Stripe, I get this notification:
Apple Pay domain verification failed. Please check the log to see the
issue.
When I check the error log, I see:
Error: Unable to verify domain - Forbidden
My hosting is on OVH.
Got the solution and now its working :)
Stripe no longer supports API requests made with TLS 1.0. Please update HTTPS connections with TLS 1.2 or later.
Hosting server is using TLS older version which is not supported anymore
due to security
The upgrade process will be seamless for most users. At the application layer, SHA-2 and TLS 1.2 behave identically to their older versions. You won’t need to change your code, but might need to upgrade your operating system or packages.
for ref:https://stripe.com/blog/upgrading-tls
Hope it will help!!
Have you added Domain Verification file into the .well-known/ folder.
If not please find it in your Stripe dashboard download it or here and upload to .well-known/ folder.
Make sure that you need to access your verification file by your URL https://example.com/.well-known/apple-developer-merchantid-domain-association
In my Case i was using WHMCS on a subdomain, and had to insert the apple merchant file on the root path ./well-known of my domain
subdomain.domain.com/.well˜
domain.com/.well˜
Solved my problem
I've put together a site utilising the Stripe payment system.
Upon making a test payment over HTTPS, I get the error:
Stripe no longer supports API requests made with TLS 1.0. Please initiate HTTPS connections with TLS 1.2 or later.
I've made sure all my versions of software are up to date:
PHP Version: 7.0.7
cUrl Version: 7.47.1
SSL Version: OpenSSL/1.0.2h
I've also tested my site itself on https://www.ssllabs.com/ssltest/analyze.html to make sure TLS 1.2 is enabled and functional on the server.
The only thing I can think is if there is possibly an issue with the certificate bundle I have registered in php.ini (CURL curl.cainfo setting), but since Stripe source has a "ca-certificates.crt" already included I wasn't sure if I even needed to set an entry for curl.cainfo in my php.ini file.
Any advice would be massively appreciated. If there is any additional information I can provide that might help, just let me know.
EDIT: Currently using Stripe's PHP Framework v4.1.1 (Latest)
The SSL cert you mentioned is used by your server to respond to incoming requests. What this means is that if I visit your website, as a customer, my browser (Chrome) will try to talk to your server over TLS 1.2 by default as it uses the most secure protocol first. Your server is apparently able to answer requests over TLS 1.2.
The issue we have right now is that when your server contacts Stripe's servers it negotiates TLS 1.0 by default instead of TLS 1.2. Since Stripe is going to deprecate requests made with TLS < 1.2 this means your requests will start failing next year if you don't upgrade.
What I'd recommend here is to talk with your webhost about this so that they can help you look into your setup and ensure that you do support TLS 1.2 requests from your server to Stripe's. Additionally, you can follow the steps outlined at https://support.stripe.com/questions/how-do-i-upgrade-my-stripe-integration-from-tls-1-0-to-tls-1-2 to ensure that your code libraries also support TLS 1.2.
This could also be caused by an outdated version of Stripe's PHP library. They released version 3.19.0 on Friday July 29th which corrected a bug that affected some setups which might explain why you're getting this error even if your host supports TLS 1.2. You may also try updating the Stripe PHP library that you are using to the current version to see if that solves your issue.
Problem was with my local issuer certificate, turns out I was on the right track.
Had to set a default value in my php.ini file for curl_cainfo and that fixed it.
I am having a website (PHP/MySQL). Recently I upgraded the server and installed SSL certificate to my website (server).
Server and SSL details are
HTTP Server Header: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.5.29
Protocol (supported): TLS 1.2
Protocol (NOT supported): TLS 1.0, TLS 1.1, SSL 3, SSL 2
I am using Cdyne SMS Notify API in my website. Cdyne posts back (to a page I have specified in Cdyne call) after completing process at their end when I send request to them.
Without SSL (https) everything works good and I get back post backs (to a page I have specified in Cdyne call) from Cdyne but when I enable SSL (https) then I don't get posts back. I contacted with Cdyne support, they replied that they are getting following exception when they try to send reply (post back) to my website.
The request was aborted: Could not create SSL/TLS secure channel.
What can be the reason? And what can be the solution. Do I need to change my code or do they will have to alter their code. Any help is appreciated.
Last but not least, requests (SMS) from my website are successfully delivered with SSL (https). Means everything is good at my end? Issue is only with post backs from Cdyne.
Thanks in advance,
CDYNE recently performed a security upgrade. It also required a patch to our previous version.
This upgrade was to ensure that all of our customers, from legacy to current versions, have the highest level of encryption for their data. There was a minor interruption while this transition occurred and isn't a regular occurrence with our services.
If you experience any issues in the future, you can always chat with us online through our website or call our tech support line at 1-800-984-3710.
It was Cdyne's implementation which was not allowing posting back to TLS 1.2 server. After they fixed the code at their end everything is working fine.