Webhook SSL issues

(Sam P) #1

I appear to be having issues with registering webhooks to domains using Let’s Encrypt certificates. For example https://hookbin.com/ which uses a Comodo CA Ltd certificate works fine, but https://postb.in/ which uses Let’s Encrypt doesn’t. Has anybody else experienced this issue?

If it’s not possible to solve on Monzo’s end, can anyone recommend an alternative free certificate authority I can use, preferably one that supports automated renewal using ACME or similar.

0 Likes

(simon) #2

That’s weird. Let me check for you.

0 Likes

#3

We use letsencrypt - haven’t had any issues

0 Likes

(Sam P) #4

That seems very odd then. I wonder what I’m doing differently. To test those two pages as well as my own webserver I simply pasted and submitted the url into the Register webhook endpoint in the developer playground, then created a small transaction to check if it works.

0 Likes

(Sam P) #5

Okay, so I’ve tried another service https://webhook.site which seems to work okay. I’m now trying to figure out the difference. The certificates both have exactly the same CA, so I think that might be a red herring

0 Likes

#6

Are you returning a 200 ?

0 Likes

(Sam P) #7

That should be irrelevant for webhooks since it’s Monzo initiating the request. I have however fixed an issue where I was listening for a GET request instead of POST, however I have another issue. For some reason the SSL handshake is failing:

SSL handshake failed
protocol: <asyncio.sslproto.SSLProtocol object at 0x000001CD19CFFEF0>
transport: <_SelectorSocketTransport fd=484 read=polling write=<idle, bufsize=0>>
Traceback (most recent call last):
  File "C:\Program Files\Python37\lib\asyncio\sslproto.py", line 625, in _on_handshake_complete
    raise handshake_exc
  File "C:\Program Files\Python37\lib\asyncio\sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "C:\Program Files\Python37\lib\ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1051)
SSL error in data received
protocol: <asyncio.sslproto.SSLProtocol object at 0x000001CD19CFFEF0>
transport: <_SelectorSocketTransport closing fd=484 read=idle write=<idle, bufsize=0>>
Traceback (most recent call last):
  File "C:\Program Files\Python37\lib\asyncio\sslproto.py", line 526, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "C:\Program Files\Python37\lib\asyncio\sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "C:\Program Files\Python37\lib\ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1051)

I don’t get this when visiting my server from the browser

Edit, here’s the code I used to setup the ssl context (Python 3.7):

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain('<certpath>.pem', '<keypath>.key.pem')
app = web.Application()
app.add_routes(routes)
web.run_app(app, ssl_context=context, port=8443)
0 Likes

(Sam P) #8

Can anyone suggest a way for me to debug this further? Unfortunately I can’t infer much from this SSL error code.

Edit: some more info, this is the encryption my server is currently using when connecting via a browser:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 256 bit keys, TLS 1.2

I have noticed that the other sites, including the one that didn’t work, are using TLS 1.3. I’d be surprised if this is the reason though,

0 Likes

(Sim) #9

Hi everyone,
i’m registering webhooks and i can check they are registered. However, i’m not receiving anything(transactions created notifications serverside) for “collaborators accounts”. For my own account it works perfect so i doubt it’s an issue with ssl as mentioned before. I’ve asked monzo openbanking guys who told me under 25 white listed collaborators it should work. I’m getting aisp in the next months or so but as for doing some testing it would be great to have webhooks. If there is anyone to help on that i’ll appreciate any help.

0 Likes