webhook creation errors

  • 1
  • Problem
  • Updated 2 weeks ago
Hello,

I am in the process of trying to create a webhook connection, I have absolutely no issues doing the webhook connection on a local server using ngrok to let the webhook connect. I get notifications when I make calls etc... The issue that I am having is that the moment that I push the code to a live server, every time I attempt to create a webhook connection, I am returned an error message..


{
    "errorCode": "SUB-521",
    "message": "WebHook is not reachable",
    "errors": [
        {
            "errorCode": "SUB-521",
            "message": "WebHook is not reachable"
        }
    ]



I saw in a forum on the devcommunity.ringcentral where someone was having the exact same problems and John Wang the official Rep over there at Ringcentral posted a link to check if the link that I am providing was reachable and matched all of the requirements for the SSL/TLS checking..   https://www.sslshopper.com/ssl-checker.html  This had no problems, the Webhook URL was completely accessable. I am also able to access the webhook URL through postman. But for some reason I cannot get it reach that URL. 


Also in the error response it shows that I am in reality pointing the webhook towards the correct URL address. This is what I am posting in order for it to work, but it still does not want to work correctly..


the following in the real example has a real address which is totally reachable, but in my case it is said that it is not reachable by ringcentral.


{"eventFilters": [ "/restapi/v1.0/account/~/extension/~/presence ], "deliveryMode": { "transportType": "WebHook", "address": "https://my-api-sub-domain.tfpest.com/this-is-my-webhook-url" }}

Photo of Jameson Bevans

Jameson Bevans

  • 180 Points 100 badge 2x thumb
  • confused..

Posted 1 month ago

  • 1
Photo of Tyler Long

Tyler Long, Official Rep

  • 8,492 Points 5k badge 2x thumb
Is https://my-api-sub-domain.tfpest.com/this-is-my-webhook-url the webhook address?

I cannot access it: my-api-sub-domain.tfpest.com’s server IP address could not be found.  DNS_PROBE_FINISHED_NXDOMAIN

It seems that there is DNS issue with the domain name.
Photo of Riley Worthen

Riley Worthen

  • 190 Points 100 badge 2x thumb
No the domain name is not that. The api domain name is https://ctmapi.tfpest.com/ring/hook .
I am the developer that posted the original question, but i was longed in under a different account. That is the API endpoint for this.
(Edited)
Photo of Tyler Long

Tyler Long, Official Rep

  • 8,492 Points 5k badge 2x thumb
I tried the new uri. It is too slow to respond.  It takes about 30 seconds to respond.

https://ringcentral-quickstart.readthedocs.io/en/latest/webhooks

can respond within 1000 milliseconds
Photo of Riley Worthen

Riley Worthen

  • 190 Points 100 badge 2x thumb
Did you try and send it a post request with a Validation-Token header? Because otherwise it will not respond.
Photo of Riley Worthen

Riley Worthen

  • 190 Points 100 badge 2x thumb
Okay. I just tried it as well. This was my first attempt.
And whats the status with my previous question? I dont know what you are doing differently than I am, but as far as I can tell, my server is running just fine... again, did you take a look at the link I sent? The last two errors were regarding the inability to connect a websocket to a server that is using a proxy. And trust me I have been using this server for over 6 months with ZERO connectivity issues until this issue. regardless, can we please take a look into this issue with jetty?
Photo of Tyler Long

Tyler Long, Official Rep

  • 8,322 Points 5k badge 2x thumb
I am afraid that I have to escalate this issue.  Because I don't have the permission to check RingCentral server. I am mainly a SDK engineer. I am not sure the other team will take care of this ticket seriously because, we also don't have connectivity issue with other customers. 

You also mentioned that ngrok works. And I have several services hosted by Amazon Lambda which work like a charm. So we are pretty safe to say: there is no major issue from RingCentral server side.
Photo of Tyler Long

Tyler Long, Official Rep

  • 8,322 Points 5k badge 2x thumb
I've pinged my colleagues who could check RingCentral server software (might be Jetty) to check this thread
Photo of Riley Worthen

Riley Worthen

  • 190 Points 100 badge 2x thumb
Thank you very much.
Photo of Tyler Long

Tyler Long, Official Rep

  • 8,322 Points 5k badge 2x thumb
By the way, I was not telling you to move away from DigitalOcean. I just encourage you to write a hello-world style app to try EC2/Linode/Heroku...etc to confirm that they all work with RingCentral without any issues.  And then you can deploy the same hello-world style app to your DigitalOcean server and see if it could work.  It's just an advice for troubleshooting. 
(Edited)
Photo of Tyler Long

Tyler Long, Official Rep

  • 8,492 Points 5k badge 2x thumb
Our engineering team updated me. And they seem to find the root cause: https://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

RingCentral server side does NOT support Let's encrypt certificates

Yes it is our issue. We will fix it but not until 2019 Q1.

So the quickest solution is to change your certificate.
(Edited)
Photo of Jameson Bevans

Jameson Bevans

  • 180 Points 100 badge 2x thumb
WHAT!! wow that is the problem?! I am so glad that you finally raised the issue to the engineering team!! Is there any way that this solution can be included into the documentation, because in terms of Node.js applications, it is pretty common that people use Lets Encrypt for their SSL Certs because of how easy it is to setup.. Or perhaps even better would be to include a list of trusted SSL certificates that the Java programs that ringcentral uses would accept out of the box. This list would be extremely beneficial in any case. Is there any way that is something that you could provide?
Photo of Igor Bebin

Igor Bebin, Official Rep

  • 750 Points 500 badge 2x thumb
Hi Jameson, 

I've already collected the list of trusted Certs, so hopefully, it will be published as part of WebHook guide soon. 
 
Your case helped us to find another small gap on our side. I'm talking about introducing unambiguous Error Code for this scenario to help us save time if the same problem appears in the future. It's in our backlog now.

Thanks,
Igor
(Edited)
Photo of Riley Worthen

Riley Worthen

  • 190 Points 100 badge 2x thumb
I am extremely greatful for that response! It feel good to know that i helped in some way!

By any chance could you tell me if “Entrust” is on that list of CA’s that are accepted?

Just looking into purchasing an SSL cert now so i can get this application rolled out to my teams. Yeah it would great if LetsEncrypt were an accept CA, because of the fact that they are Free and Extremely easy to use..

Thanks so much!
Photo of Igor Bebin

Igor Bebin, Official Rep

  • 750 Points 500 badge 2x thumb
Here is the full list of "Entrust" trusted Certs supported on RingCentral side: 
  • Alias name: identrustpublicca [jdk] Owner: CN=IdenTrust Public Sector Roo
  • Alias name: entrustrootcaec1 [jdk] Owner: CN=Entrust Root Certification Authority - EC1
  • Alias name: entrust2048ca [jdk] Owner: CN=Entrust.net Certification Authority (2048)
  • Alias name: entrustrootcag2 [jdk] Owner: CN=Entrust Root Certification Authority - G2
  • Alias name: entrustevca [jdk] Owner: CN=Entrust Root Certification Authority

Thanks,
Igor

Photo of Jameson Bevans

Jameson Bevans

  • 180 Points 100 badge 2x thumb
UPDATE:

I have changed the SSL certificate after paying nearly 300 dollars to get this certificate. I have validated that in fact the certificate has been installed correctly. I have tested to see if it works and I laughed so hard out of pure frustration when I saw the response. I will let the response speak for itself.

{ apiResponse:
   { _externals: { localStorage: [Object] },
     _request:
      { method: 'POST',
        redirect: 'follow',
        headers: [Object],
        url: 'https://platform.ringcentral.com/restapi/v1.0/subscription',
        follow: 20,
        compress: true,
        counter: 0,
        body: '{"eventFilters":["/restapi/v1.0/account/~/extension/~/presence"],"deliveryMode":{"transportType":"WebHook","address":"https://ctmapi.tfpest.com/ring/hook"}}',
        bodyUsed: false,
        size: 0,
        timeout: 0,
        _raw: [],
        _abort: false,
        protocol: 'https:',
        hostname: 'platform.ringcentral.com',
        port: null,
        path: '/restapi/v1.0/subscription',
        auth: null,
        originalBody: '{"eventFilters":["/restapi/v1.0/account/~/extension/~/presence"],"deliveryMode":{"transportType":"WebHook","address":"https://ctmapi.tfpest.com/ring/hook"}}' },
     _response:
      { url: 'https://platform.ringcentral.com/restapi/v1.0/subscription',
        status: 400,
        statusText: 'Bad Request',
        headers: [Object],
        ok: false,
        body: [Object],
        bodyUsed: true,
        size: 0,
        timeout: 0,
        _raw: [Array],
        _abort: false,
        _bytes: 132 },
     _text: '{"errorCode":"SUB-521","message":"WebHook is not reachable","errors":[{"errorCode":"SUB-521","message":"WebHook is not reachable"}]}',
     _json:
      { errorCode: 'SUB-521',
        message: 'WebHook is not reachable',
        errors: [Array] },
     _multipart: [] },
  originalMessage: 'Response has unsuccessful status' }

Your solution did nothing... here is the exact code that I am using to send the request to your server.

let reqBody = { 
	eventFilters: ['/restapi/v1.0/account/~/extension/~/presence'], 
	deliveryMode: { 
		transportType: "WebHook", 
		address: "https://ctmapi.tfpest.com/ring/hook" 
	} 
};
platform.send({ 
	method: "POST", 
	url: "https://platform.ringcentral.com/restapi/v1.0/subscription", 
	body: reqBody 
}).then(function (response) { 
	res.send(response); 
}).catch(function (e) { 
	res.send(e);
});

Here is an exact copy of the API endpoint https://ctmapi.tfpest.com/ring/hook

router.post("/ring/hook", (req, res) => {
    console.log("This is inside of the webhook creation place");
    // this console log never gets reached...
    let header = 'Validation-Token';
    if (req.get(header)) {
        res.header(header, req.get(header));
        res.send({ test: req.get(header) });
    } else {
        res.send({ test: req.get(header) })
    }
});

I am using an NGINX proxy server. to access the express node application.

If you send a postman request to https://ctmapi.tfpest.com/ring/hook with a Validation-Token header of 1234567, it returns this list of headers, :

Server →nginx/1.10.3 (Ubuntu)
Date →Mon, 26 Nov 2018 17:31:41 GMT
Content-Type →application/json; charset=utf-8
Content-Length →18
Connection →keep-alive
Access-Control-Allow-Origin →*
Access-Control-Allow-Headers →Origin, X-Requested-With, Content-Type, Accept. Validation-Token
Validation-Token →1234567
ETag →W/"12-oyx2mc99b6uDb18f4YUrToOit6U"
Strict-Transport-Security →max-age=63072000; includeSubDomains; preload
X-Frame-Options →DENY

This is everything that I can possibly think of that might need. I cannot think of anything else that you could possibly use for diagnosing the problem.

I am so tired of working on this and I am near the breaking point. I have cost our company SO much money so far because something wrong with this system.


(Edited)
Photo of Tyler Long

Tyler Long, Official Rep

  • 8,422 Points 5k badge 2x thumb
I can reproduce the issue. I have escalated it. Please hold on.
Photo of Riley Worthen

Riley Worthen

  • 190 Points 100 badge 2x thumb
Thank you so much Tyler, I look forward to the response.
Photo of Igor Bebin

Igor Bebin, Official Rep

  • 750 Points 500 badge 2x thumb
Hi Riley,

Your Cert is valid now.

There are 3 Cipher Suites supported on your side:  
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Unfortunately, none of them are currently supported by our Backend.

Could you please install any of below Cipher Suites and try again? 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Thanks,
Igor
Photo of Riley Worthen

Riley Worthen

  • 190 Points 100 badge 2x thumb
I have fantastic news.

After changing the SSL_CIPHERS in my ssl-params.conf file. Ringcentral was finally able to reach my webhook and I am so please to say that it is finally functional!!!! I have spent over 5 weeks attempting to solve this issue.

Such a sweet success. Thank you for your assistance. If I may ask, how did you determine which ssl_ciphers that I was using?
Photo of Igor Bebin

Igor Bebin, Official Rep

  • 750 Points 500 badge 2x thumb
Hi Riley, Jameson,

Great news! Thank you for helping us find this gap in our workflow.

Such problem happened for the first time in my memory, but it forces us to provide an API to validate WebHook before subscribing, hopefully, it would be available next Year. 

During investigation, we made an analysis of the configuration of your SSL web server using standard tools AFAIK.

Thanks,
Igor