question

Online Orders Now avatar image
Online Orders Now asked ·

winhttp requiring a client certificate from one server, not another.

We have seperate development and production servers.

All servers have identical hardware. (Dell R230/Xeon E5-1240v5/16gb DDR4/4x Intel 240gb SSD in Raid10)

All servers run Server 2012r2 Standard.

All servers are up to current updates.

All servers have identical SChannel SSL configurations loaded via IISCrypto for PCI 3.1 compliance.

All servers have static IP's on the public internet, with PTR records that match the DNS A records pointing to those IP's.

All servers have identical code in place, that leverages the Microsoft WinHTTP object to create HTTPS connections from Lotus Domino 9.0.1 FP10 HF330.

-----

On two Production servers, which are hosted in datacenters in Texas and Virginia, we are able to connect to the Clover sandbox API without issues. The production servers do not have any kind of certificate for the Clover sandbox API. This apparently is not required, as the documentation makes no mention of one, and they are able to connect.

CURL is able to connect from the production servers, to the same API endpoint, without issue.

-----

On our Development server, which is hosted in our office in Florida, we are unable to connect to the clover sandbox API, with the WinHTTP object returning the following error:

" Error: '213','WinHttp.WinHttpRequest: A certificate is required to complete client authentication"

The failure occurs in the SSL Handshake part of the communication, before we have given bearer token/etc.

We have tried numerous methods to work around this issue, with no success. Installing/setting a certificate, telling the WinHTTP object to ignore SSL errors, etc.

As a final test, out of desperation, we installed new SSDs in our development server and loaded a fresh copy of Server 2012r2, updated it, installed Domino, the software.. and receive the same error message.

CURL is able to connect from the Development server, to the same API endpoint, without issue.

It seems that the only remaining possibility is some form of IP or hostname blocking on Clover's part, that sends a request for a client certificate, preventing us from using the sandbox API from our office's static IP block.

-----

Please let us know if there's anything we can do, in order to continue developing for Clover.
App Market
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

Jonathan Ryan Grice avatar image
Jonathan Ryan Grice answered ·
You may have to register the certificate in the system by using winhttpcertcfg.exe
I don't have much experience with windows servers but hope this helps.
Someone else may have a better solution.
Cheers.
3 comments Share
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

This is one of the things we did in trying to resolve the issue.

We determined that this is not necessary.

The Production servers (using WinHTTP), and CURL (which doesn't use WinHTTP) from any server, connect with no certificate at all, and there is no mention of one being needed in the documentation.

0 Likes 0 · ·

When using cURL, what error does it give you?

curl -G -H "Authorization: Bearer YOUR_API_TOKEN" https://api.clover.com/v3/merchants/MERCHANT_ID/items -d "limit=10"

0 Likes 0 · ·

None. cURL works properly and gives us the data. Microsoft WinHTTP request of the same page with the same headers gives us "Error: '213','WinHttp.WinHttpRequest: A certificate is required to complete client authentication".

0 Likes 0 · ·

Welcome to the
Clover Developer Community