Using a cacert.pem for REST requests to APIs from FileMaker with MBS

[cincin]

I'm working on a way to get shipping rates, create shipments, and download shipping labels, and manifests, from CanadaPost, using REST and the MBS plug-in.

I'm new to certificates and REST so this is extra fun!

I've tested a CanadaPost REST example request in SoapUI and got it to work. I'm now trying to replicate this within my FMP test file, but its not quite exactly the same as in SoapUI (I'm not seeing cacert.pem being used by SoapUI), and I'm getting an error:

<?xml version="1.0" encoding="UTF-8"?>

<messages xmlns="http://www.canadapost.ca/ws/messages">
<message>
<code>415</code>
<description>Backend Unsupported Media Type</description></message></messages>

which sounds like it could be a problem with the certificate file (there's no other "media" involved).

The cacert.pem I'm using is the one I got from CanadaPost, in their PHP REST sample files. I've tried putting it in a container and using:

MBS( "CURL.SetOptionCAInfoBlob"; $curl; table::cert_container )
MBS( "CURL.SetOptionSSLCertType"; $curl; "PEM")
MBS( "CURL.SetOptionSSLVerifyPeer"; $curl; 1 )
MBS( "CURL.SetOptionSSLVerifyHost"; $curl; 2 )

I've tried putting it in a subfolder of my file and calling it like:

MBS( "CURL.SetOptionCAInfo"; $curl; Substitute(Get(FilePath); "file.fmp12"; "") & "cert/cacert.pem")
MBS( "CURL.SetOptionSSLCertType"; $curl; "PEM")
MBS( "CURL.SetOptionSSLVerifyPeer"; $curl; 1 )
MBS( "CURL.SetOptionSSLVerifyHost"; $curl; 2 )

And that gets me a different error about setting the CApath:

77: error setting certificate verify locations:  CAfile: file:/Macintosh HD/Users/MyUser/Desktop/MyProject/cert/cacert.pem CApath: none

I've also tried with CURL.SetOptionSSLCert instead of CURL.SetOptionCAInfo (what's the difference? not sure) and that gets me:

58: could not load PEM client certificate, OpenSSL error error:02001002:system library:fopen:No such file or directory, (no key found, wrong pass phrase, or wrong file format?)

Then I tried using CURL.SetOptionCAPATH (again not sure what the diff is) but the documentation on this one says

Quote

The certificate directory must be prepared using the openssl c_rehash utility

and I have not done that, so it failed.

Here's the MBS debug info:

Quote

MBS FileMaker Plugin 12.0.0.09 with CURL 7.81.0 in FileMaker Pro Advanced 16 on macOS.

  Trying 23.195.236.27:443...

Connected to ct.soa-gw.canadapost.ca (23.195.236.27) port 443 (#0)

ALPN, offering http/1.1

TLSv1.3 (OUT), TLS handshake, Client hello (1):

TLSv1.3 (IN), TLS handshake, Server hello (2):

TLSv1.2 (IN), TLS handshake, Certificate (11):

TLSv1.2 (IN), TLS handshake, Server key exchange (12):

TLSv1.2 (IN), TLS handshake, Server finished (14):

TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

TLSv1.2 (OUT), TLS handshake, Finished (20):

TLSv1.2 (IN), TLS handshake, Finished (20):

SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

ALPN, server accepted to use http/1.1

Server certificate:

 subject: C=CA; ST=Ontario; L=Ottawa; O=Canada Post Corporation; CN=stg10.canadapost.ca

 start date: Oct 27 00:00:00 2021 GMT

 expire date: Oct 27 23:59:59 2022 GMT

 subjectAltName: host "ct.soa-gw.canadapost.ca" matched cert's "ct.soa-gw.canadapost.ca"

 issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018

 SSL certificate verify ok.

Server auth using Basic with user '#########MYUSERID###'

POST /rs/ship/price HTTP/1.1

Host: ct.soa-gw.canadapost.ca

Authorization: Basic ####MYPASS#######

Accept: application/vnd.cpc.ship.rate-v4+xml

Content-Length: 423

Content-Type: application/x-www-form-urlencoded

 

<mailing-scenario xmlns="http://www.canadapost.ca/ws/ship/rate-v4">

   <customer-number>####MYCUST###</customer-number>

   <contract-id>###MYCONTRACTID###</contract-id>

   <parcel-characteristics>

      <weight>1</weight>

   </parcel-characteristics>

   <origin-postal-code>K2B8J6</origin-postal-code>

   <destination>

      <domestic>

         <postal-code>J0E1X0</postal-code>

      </domestic>

   </destination>

</mailing-scenario>Mark bundle as not supporting multiuse

HTTP/1.1 415 Unsupported Media Type

X-Backside-Transport: FAIL FAIL,FAIL FAIL,FAIL FAIL

Content-Type: text/xml; charset=UTF-8

Strict-Transport-Security: max-age=86400; preload

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Cache-Control: no-cache

Content-Security-Policy: default-src 'self' *.hs-cpggpc.ca *.canadapost.ca *.cpggpc.ca *.purolator.com *.epost.ca

X-Frame-Options: SAMEORIGIN

Access-Control-Allow-Origin: *

Date: Wed, 16 Feb 2022 19:56:43 GMT

Connection: close

 

<?xml version="1.0" encoding="UTF-8"?>

 

<messages xmlns="http://www.canadapost.ca/ws/messages">

<message>

<code>415</code>

<description>Backend Unsupported Media Type</description></message></messages>TLSv1.2 (IN), TLS alert, close notify (256):

Closing connection 0

TLSv1.2 (OUT), TLS alert, close notify (256):

Any clues? Thanks!

[ggt667]

Are you able to reproduce this procedure using curl on the command line, opposed to: SoapUI?

[MonkeybreadSoftware]

Please use native file paths, and not FileMaker's way with disk name on the beginning.

e.g. /Users/MyUser/Desktop/MyProject/cert/cacert.pem

 

But maybe fist you try with out CURL.SetOptionCAInfo, CURL.SetOptionSSLVerifyPeer and CURL.SetOptionSSLVerifyHost, because the request should go through without SSL verification. Then you can make sure you put right parameters there for SSL validation.
And remove CURL.SetOptionSSLCertType since you don't pass a SSL Cert here.

[cincin]

On 2/19/2022 at 5:19 PM, ggt667 said:

Are you able to reproduce this procedure using curl on the command line, opposed to: SoapUI?

I have not tried. Would it provide more info as to what the problem might be? I'm not familiar with curl on the command line, so figuring how to make that work is only worthwhile if it helps me figure out what's not working in FileMaker.

 

On 2/20/2022 at 1:16 AM, MonkeybreadSoftware said:

Please use native file paths, and not FileMaker's way with disk name on the beginning.

e.g. /Users/MyUser/Desktop/MyProject/cert/cacert.pem

 

But maybe fist you try with out CURL.SetOptionCAInfo, CURL.SetOptionSSLVerifyPeer and CURL.SetOptionSSLVerifyHost, because the request should go through without SSL verification. Then you can make sure you put right parameters there for SSL validation.
And remove CURL.SetOptionSSLCertType since you don't pass a SSL Cert here.

Direct support from MBS! Amazing.

I just tried without the CURL.SetOptionCAInfo, CURL.SetOptionSSLVerifyPeer and CURL.SetOptionSSLVerifyHost, so I just set it up like:

Set Variable [$curl; Value: MBS("CURL.New")]
Set Field [Test::result; MBS("CURL.SetOptionURL"; $curl; "https://ct.so-gw.canadapost.ca/rs/ship/price")]
Set Field [Test::result; MBS("CURL.SetOptionPost"; $curl; 1)]
Set Field [Test::result; MBS("CURL.SetOptionPostFields"; $curl; Test::xml)]
Set Field [Test::result; MBS("CURL.SetOptionHTTPAuth"; $curl; 1)]
Set Field [Test::result; MBS("CURL.SetOptionUserName"; $curl; "MyUserName")]
Set Field [Test::result; MBS("CURL.SetOptionPassword"; $curl; "MyPassword")]
Set Field [Test::result; MBS("CURL.SetOptionHTTPHeader"; $curl; "Content-Type: application/vnd.cpc.ship.rate-v4+xml")]
Set Field [Test::result; MBS("CURL.SetOptionHTTPHeader"; $curl; "Accept: application/vnd.cpc.ship.rate-v4+xml")]
Set Field [Test::result; MBS("CURL.SetDebugWithData"; $curl; 1)]
Set Field [Test::result; MBS("CURL.Perform"; $curl)]
Set Field [Test::debug; MBS("CURL.GetDebugAsText"; $curl)]
Set Field [Test::result; MBS("CURL.GetResultAsText"; $curl)]
Set Field [Test::variable; MBS("CURL.Cleanup"; $curl)]

With the following XM:

<mailing-scenario xmlns="http://www.canadapost.ca/ws/ship/rate-v4">
   <customer-number>MyCustomerNumber</customer-number>
   <contract-id>MyContractID</contract-id>
   <parcel-characteristics>
      <weight>1</weight>
   </parcel-characteristics>
   <origin-postal-code>K2B8J6</origin-postal-code>
   <destination>
      <domestic>
         <postal-code>J0E1X0</postal-code>
      </domestic>
   </destination>
</mailing-scenario>

But I still get:

Quote

<?xml version="1.0" encoding="UTF-8"?>

<messages xmlns="http://www.canadapost.ca/ws/messages">

<message>

<code>415</code>

<description>Backend Unsupported Media Type</description></message></messages>

Which is strange now because I'm not sure what media they speak of. Could it be the content-type?

Thanks for the help!

[ggt667]

1 hour ago, cincin said:

I have not tried. Would it provide more info as to what the problem might be? I'm not familiar with curl on the command line, so figuring how to make that work is only worthwhile if it helps me figure out what's not working in FileMaker.

The reason for doing this in curl on the command line is that when you try to make the FileMaker version either built-in FileMaker or via Plug-in such as using MBS you could in theory use the exact same syntax for drafting and production.

[MonkeybreadSoftware]

This must be one call:

Set Field [Test::result; MBS("CURL.SetOptionHTTPHeader"; $curl; "Content-Type: application/vnd.cpc.ship.rate-v4+xml")]
Set Field [Test::result; MBS("CURL.SetOptionHTTPHeader"; $curl; "Accept: application/vnd.cpc.ship.rate-v4+xml")]
 

so use this:

Set Field [Test::result; MBS("CURL.SetOptionHTTPHeader"; $curl; "Content-Type: application/vnd.cpc.ship.rate-v4+xml"; "Accept: application/vnd.cpc.ship.rate-v4+xml")]
 

Does that help already?

[cincin]

12 hours ago, MonkeybreadSoftware said:

This must be one call:

Set Field [Test::result; MBS("CURL.SetOptionHTTPHeader"; $curl; "Content-Type: application/vnd.cpc.ship.rate-v4+xml")]
Set Field [Test::result; MBS("CURL.SetOptionHTTPHeader"; $curl; "Accept: application/vnd.cpc.ship.rate-v4+xml")]
 

so use this:

Set Field [Test::result; MBS("CURL.SetOptionHTTPHeader"; $curl; "Content-Type: application/vnd.cpc.ship.rate-v4+xml"; "Accept: application/vnd.cpc.ship.rate-v4+xml")]
 

Does that help already?

It does help! That was the problem. Now it works with and without the certificate.

Thanks!