Nordea eIDAS registration successful?

[Daniela-Mant-Tink]

Before opening an issue regarding registration problems please ensure that:

• [x] You are following the documentation at https://developer.openbanking.prod.lunar.app/catalog/default/api/Registration
• [x] Your certificate chain is valid
• [x] Your intermediate certificate is on the EU Trusted List: https://eidas.ec.europa.eu/efda/tl-browser/#/screen/home

If all the above looks good you can open an issue.

Required information

Certificate chain used during registration: curl \ -v \ -H "Content-Type: application/json" \ --data '{"redirectUris":["https://mycompany.com/oauth2/callback"],"roles":["PSP_AI", "PSP_PI"], "name":"mycompany"}' \ --cert client.crt \ --key client.key \ https://tpp.openbanking.prod.lunar.tech/tpp

Output of the registration call: TPP secrets, here is the clientID: 9d95de7f-1d63-458a-83c8-69689901ace1

Time of the registration request: On January 17TH or close to that date. Earlier attempts from Nordea's side have happened, too.

Link to the intermediate certificate on the EU Trusted list: Hope this is what you need: https://cdn.tink.se/eidas/jwks-a5ff729b6c1f430592eb001302ae4399.json

Debug information

Hi Lunar,

We are Tink AB, AISP/PISP regulated by the Swedish FSA with our license passported across the EU, see this link to our records: https://www.fi.se/en/our-registers/company-register/details?id=14525

A while ago, we have already contacted you regarding our client Nordea and their eIDAS registration to Lunar DK. Back then, you advised them to follow this registration guide: https://developer.openbanking.prod.lunar.app/catalog/default/api/Registration

They've done this meanwhile but still receive 400 errors for the connection (Unfortunately, I couldn't find any hits in our logs so I cannot forward log data to you. However, I asked Nordea to perform a connection attempt to hopefully be able to forward log date soon.).

Nordea has now tried to use this guide: https://developer.openbanking.prod.lunar.app/catalog/default/api/Registration They referred to this curl command:

curl \ -v \ -H "Content-Type: application/json" \ --data '{"redirectUris":["https://mycompany.com/oauth2/callback"],"roles":["PSP_AI", "PSP_PI"], "name":"mycompany"}' \ --cert client.crt \ --key client.key \ https://tpp.openbanking.prod.lunar.tech/tpp

And mentioned this URL: https://tpp.openbanking.prod.lunar.tech/

See above, they even received TPP secrets but the connection still doesn't work.

Can you please have a look at the registration and tell me if something has gone wrong and if yes, how to fix it?

Thanks and best regards, Daniela

• Call https://debug.openbanking-sandbox.prod.lunar.tech including your full certificate chain and private key (eg. curl https://debug.openbanking-sandbox.prod.lunar.tech --cert your_full_certificate_chain.pem --key your_private_key.pem)
• Note the time of the call:

---

Please ensure that all information has been checked and are valid!

Issues with missing information will be closed.

[Daniela-Mant-Tink]

Hi Lunar,

Have you already had the chance to have a look at my query? Please get back to me as soon as you can, it's very urgent for us to send an update to Nordea.

Thanks in advance and kind regards, Daniela

[mzc-lunar]

Hi Daniela.

If they received a clientID and clientSecret, they have successfully registered with us. The curl command you sent looks like a reasonable call to register with.

It is hard for us to debug further without knowing what call they are making to get HTTP 400 as a response. If you get an example of their call you are free to share it with us (make sure to redact the clientSecret from the call to avoid leaking it) we might be able to help further. However, I suspect something is wrong with the call in their end if they are receiving HTTP 400 as a response 🙂

At the moment I don't see evidence of a bug in our end as it is working for other clients, so I have taken the liberty of changing the label on the issue 🙂

[Daniela-Mant-Tink]

Hi Morten,

Thanks for your reply.

It's good to know that Nordea seems to have done the registration correctly. I'll send them a reminder and ask them to perform a connection attempt so we can hopefully gather some log data to figure out what's wrong. I'll get back to you once I've received a reply. Please don't close the case on your side yet.

Kind regards, Daniela

On Tue, Feb 6, 2024 at 5:13 PM Morten Zdrenka Christensen < @.***> wrote:

Hi Daniela.

If they received a clientID and clientSecret, they have successfully registered with us. The curl command you sent looks like a reasonable call to register with.

It is hard for us to debug further without knowing what call they are making to get HTTP 400 as a response. If you get an example of their call you are free to share it with us (make sure to redact the clientSecret from the call to avoid leaking it) we might be able to help further. However, I suspect something is wrong with the call in their end if they are receiving HTTP 400 as a response 🙂

At the moment I don't see evidence of a bug in our end as it is working for other clients, so I have taken the liberty of changing the label on the issue 🙂

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-1930187874, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B52VTTRV6THYEBPFD6TYSJJCZAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZQGE4DOOBXGQ . You are receiving this because you authored the thread.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi again Morten,

Nordea sent the new example quickly! I've had a look and I see several temporary errors on our end, indeed. Please see some log data below:

Request URL:https://openbanking.prod.lunar.app/aisp-pisp/accounts

Request Method:GET

Status Code:400

Remote Address::80

Date:Thu, 08 Feb 2024 09:19:01 GMT

X-Aggregator:Nordea

X-Request-ID:35aca929-c291-4e96-9011-ec27f5172794

Response:

400 Bad Request

The SSL certificate error

---

nginx

The same user made several connection attempts on the same day, always with the same result. Can you see anything on your end that might have gone wrong? If you need more information, let me know.

Best regards, Daniela

On Thu, Feb 8, 2024 at 8:53 AM Daniela Manteuffel < @.***> wrote:

Hi Morten,

Thanks for your reply.

It's good to know that Nordea seems to have done the registration correctly. I'll send them a reminder and ask them to perform a connection attempt so we can hopefully gather some log data to figure out what's wrong. I'll get back to you once I've received a reply. Please don't close the case on your side yet.

Kind regards, Daniela

On Tue, Feb 6, 2024 at 5:13 PM Morten Zdrenka Christensen < @.***> wrote:

Hi Daniela.

If they received a clientID and clientSecret, they have successfully registered with us. The curl command you sent looks like a reasonable call to register with.

It is hard for us to debug further without knowing what call they are making to get HTTP 400 as a response. If you get an example of their call you are free to share it with us (make sure to redact the clientSecret from the call to avoid leaking it) we might be able to help further. However, I suspect something is wrong with the call in their end if they are receiving HTTP 400 as a response 🙂

At the moment I don't see evidence of a bug in our end as it is working for other clients, so I have taken the liberty of changing the label on the issue 🙂

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-1930187874, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B52VTTRV6THYEBPFD6TYSJJCZAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZQGE4DOOBXGQ . You are receiving this because you authored the thread.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[mzc-lunar]

Hi Daniela

SSL certificate errors occur if the certificates used for the mTLS connection are not a valid chain or if the certificates used are not trusted by us. Stuff like this is notoriously hard to debug due to the nature of it. If you fill out the issue template with the information required, we can have a look.

mTLS is also required for the registration so it sounds like there has been propper hole through at least at some point. So I'm thinking it should be doable to get to the bottom of the issue.

[Daniela-Mant-Tink]

Hi again,

Please let me try to fill out the form again:

Required information

Certificate chain used during registration: QWAC: -----BEGIN CERTIFICATE----- MIIIkjCCB3qgAwIBAgIQc3+2czJJuWEBiNfu223clDANBgkqhkiG9w0BAQsFADB3 MQswCQYDVQQGEwJFUzEZMBcGA1UEChMQRW50cnVzdCBFVSwgUy5MLjEYMBYGA1UE YRMPVkFURVMtQjgxMTg4MDQ3MTMwMQYDVQQDEypFbnRydXN0IENlcnRpZmljYXRp b24gQXV0aG9yaXR5IC0gRVMgUVdBQzIwHhcNMjMwNzEwMTI1NDQwWhcNMjQwNzA3 MTI1NDM4WjCBuDELMAkGA1UEBhMCRkkxETAPBgNVBAcTCEhlbHNpbmtpMRMwEQYL KwYBBAGCNzwCAQMTAkZJMRgwFgYDVQQKEw9Ob3JkZWEgQmFuayBBYnAxHTAbBgNV BA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwkyODU4Mzk0LTkxEzAR BgNVBAMTCm5vcmRlYS5jb20xHzAdBgNVBGETFlBTREZJLUZJTkZTQS0yODU4Mzk0 LTkwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDo0Ibh35dhmVMRWua3 O7++6S+F6cPJb3b5xm7kNwH5kUVpI+hA/JbI6SDz1VESG24SSCfMyPa71Skor7To P2gLmlCgMV0xzbi2OvHZXmFRn99JyPyKpkigHZJ3K4CIpq5Q9MOqy/q6YkwzAbfX e9r7O4sT6SKFjM3DoEYtJ9la4Zpqp7NTEXEm2gByf0treJLXR79pSPO4fJQJucvH ZT27oa0KvAPPP3aoZeSSc/cvueXDSfpMUyVq7t1/TRh8GHKxe/vdSYYtuLlr1tLj 20Xaov962yUMLR9l1QFe/AB08QhiEkXHBsd8lUQyicps333EjWcbIL+GOlhvyoC9 I2MjrOqy+5vxcxoTy6zODclK36/3oNUXltMZWUEiI2EGqcYdeuVCsEGQOy1mgR6J 8mIdNFSDzO0fXorhjdyNtnvadRV/zZq8MllQzUaoHjsUH4CBKHxaXIMFR6oCGqrl HV4B/oYyCZroblHjRziEpGFQXUX93dV+Gu5IRvhrwuzGIPUCAwEAAaOCBFYwggRS MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIdnFD7E8Pn261IBP9wIp1mYfo4MMB8G A1UdIwQYMBaAFEHPrisdYzvLTPWQRHm2WiSJ35KcMGkGCCsGAQUFBwEBBF0wWzAj BggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwNAYIKwYBBQUHMAKG KGh0dHA6Ly9haWEuZW50cnVzdC5uZXQvZXNxd2FjMi1jaGFpbi5jZXIwNQYDVR0f BC4wLDAqoCigJoYkaHR0cDovL2NybC5lbnRydXN0Lm5ldC9lc3F3YWMyY2EuY3Js MCYGBWeBDAMBBB0wGxMDUFNEEwJGSQwQRklORlNBLTI4NTgzOTQtOTCB7gYIKwYB BQUHAQMEgeEwgd4wCAYGBACORgEBMC0GBgQAjkYBBTAjMCEWG2h0dHBzOi8vd3d3 LmVudHJ1c3QubmV0L3JwYRMCZW4wEwYGBACORgEGMAkGBwQAjkYBBgMwgY0GBgQA gZgnAjCBgjBMMBEGBwQAgZgnAQMMBlBTUF9BSTARBgcEAIGYJwEBDAZQU1BfQVMw EQYHBACBmCcBBAwGUFNQX0lDMBEGBwQAgZgnAQIMBlBTUF9QSQwnRmlubmlzaCBG aW5hbmNpYWwgU3VwZXJ2aXNvcnkgQXV0aG9yaXR5DAlGSS1GSU5GU0EwJQYDVR0R BB4wHIIKbm9yZGVhLmNvbYIOd3d3Lm5vcmRlYS5jb20wDgYDVR0PAQH/BAQDAgWg MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBwBgNVHSAEaTBnMDgGC2CG SAGG+mwKAQwGMCkwJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LmVudHJ1c3QubmV0 L3JwYTAJBgcEAIvsQAEEMAwGCmCGSAGG+mwKAQIwBwYFZ4EMAQEwCQYHBACBmCcD ATCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUA7s3QZNXbGs7FXLedtM0TojKH Rny87N7DUUhZRnEftZsAAAGJP95L2QAABAMARjBEAiA+lIIaS/QRDsBWXv3AlWYO 6+yrfo3ZMaynXgZxy7qKUgIgXQDoemFykwp0ggXp5+nhA0jfRGz2FFWdoBGaIpR3 5UIAdQA/F0tP1yJHWJQdZRyEvg0S7ZA3fx+FauvBvyiF7PhkbgAAAYk/3kwfAAAE AwBGMEQCIDK6yR2KZelaavwi4LC14jpUl3oOZUmSJudi5hnpxDxHAiA34y/tc4sl e9qJA3qYWwykeGsbdo4+QEZNIzx6wAxY4gB3ADtTd3U+LbmAToswWwb+QDtn2E/D 9Me9AA0tcm/h+tQXAAABiT/eTCcAAAQDAEgwRgIhAL1d+MJL4JL52bPOe1iPPozO 9CQgZbLp/H7RrV3nH5hWAiEA36NgQW4iTEnzPQKH5zshp60gyJXtjbc8KLinAOo4 1G8wDQYJKoZIhvcNAQELBQADggEBAJzPqwmtcLFYvXmRQhgCM3ljyWB+qNw/sMCI GPiXjMgUY05rHUgIJsrDjiup3fEzSgxYVce6oBFYQCgbiFLsUpBMca99HrOJGpg9 VpTPaz+lLzEZWN3og4WnUyyWUga3V44SCBReAoDkcUw04lQ4seSnsGyJV3BSUUFR tPwwoDQRqWQA6AAVAI2u5ojiUTQU7VGhFjy85LmsBPkRw8Q+ulmuWDVCe6kz6u7k b9/ONn/6sKVJC6LplvlRIRwUkggNtpATcxTu4yzRajC7mujnjquGJ5Is211uOClH XlYvwrVTflHEVCFW7Oin28i41wiUznQkl+lNKGH+5CznlE8LF+g= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIE7jCCA9agAwIBAgIQeohyuGijWdqxsC7PT8lxjTANBgkqhkiG9w0BAQsFADCB vjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy MDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAG A1UEAxMpRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIw HhcNMjExMTE2MDAwMDAwWhcNMzAxMjAxMDAwMDAwWjB3MQswCQYDVQQGEwJFUzEZ MBcGA1UEChMQRW50cnVzdCBFVSwgUy5MLjEYMBYGA1UEYRMPVkFURVMtQjgxMTg4 MDQ3MTMwMQYDVQQDEypFbnRydXN0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0g RVMgUVdBQzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGsimN9toI gmnuoURLu7ZaRrvkHWib2DjdYClH772m8G3ikBL1S6KIBQCKe4GJfa5Oq0cGTzF2 wFWCH53N+hSWcE4idm7Ap1+8xeZwuGA/41CPb7/wQC3ycf3Nc40gYv4O3eEYJ5zn +Wm3Mln7GiFkwdX9/ZH6O6MaYaAZyV0KgctU5fbEfSdpWfnHLddwSoz0sstBr60G GPg+XSgJYd5x8mBkPgWj7Q58Y6B5s3hE4tzU0tGa8F8nrdilt/5DkYdVjqNw5GXJ SCqJvob5Cg7dbXXyLMaa1iD38wpDK+TUkuMLNpT58yR3DeSfcHrJxYdWb2cqQaB/ c3n3HVwhFwaVAgMBAAGjggEsMIIBKDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud DgQWBBRBz64rHWM7y0z1kER5tlokid+SnDAfBgNVHSMEGDAWgBRqciZ60B7vfec7 aVHUbI2fkBJmqzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9v Y3NwLmVudHJ1c3QubmV0MDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuZW50 cnVzdC5uZXQvZzJjYS5jcmwwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjA8BgNVHSAENTAzMDEGBFUdIAAwKTAnBggrBgEFBQcC ARYbaHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBhMA0GCSqGSIb3DQEBCwUAA4IB AQBbrJ0/YxbYyUsCg8PaWWfIl+97HM22qz8GcYx0r4kkzEc6QV6AgV6yy4XTaKXU xUL2wL6DeL/LfHFJOz82V3Y+8M5I5UC0KYyzY4Hivx6eX6ZHWzPSed+e45kJjqvP XXJlG1Znm3mhT5UzJ/nPDS8RRVKP97nuLnuIyzOYrYdfhteDfq0JmSRYQgArMYuI vmgVJESPg3PLYKPj1cyWRw5uE8eMOneXGrnCNxgqpyeRK17fWsozC5/4mlo7aOkm O010w9kXSxqmLa2kwyVLcOhznT+GYW3NE3lVf9h1qT0vGcKt496w6SYie7z+EEqB u9ZKfo9EqHIsC3sy2gdrUvPE -----END CERTIFICATE-----

Nordea's command to register: curl -v -H "Content-Type: application/json" --data '{"redirectUris":["https://mycompany.com/oauth2/callback"],"roles":["PSP_AI", "PSP_PI"], "name":"mycompany"}' --cert client.crt --key client.key https://tpp.openbanking.prod.lunar.tech/tpp

Output of the registration call: TPP secrets, here is the clientID: 9d95de7f-1d63-458a-83c8-69689901ace1

Time of the registration request: Feb 08, 2024 at 10:19:01.950

Debug information: Request URL:https://openbanking.prod.lunar.app/aisp-pisp/accounts

Request Method:GET

Status Code:400

Remote Address::80 Date:Thu, 08 Feb 2024 09:19:01 GMT X-Request-ID:35aca929-c291-4e96-9011-ec27f5172794

Response:

400 Bad Request

The SSL certificate error

---

nginx

This is all information I can give you. Other values are masked for security reasons. Please let me know if you need more/different details.

Best regards, Daniela

[mzc-lunar]

Thank you for the debug information 🙂 Could I also get you to try the following, from the template:

• Call https://debug.openbanking-sandbox.prod.lunar.tech including your full certificate chain and private key (eg. curl https://debug.openbanking-sandbox.prod.lunar.tech --cert your_full_certificate_chain.pem --key your_private_key.pem)
• Note the time of the call:

This will allow us to sanity-check what the certificate chain looks like when we receive the call. It's good to do a manual check of what you have provided above, but we have previously seen that e.g. proxies removed the certificates client-side before the call hit us, which causes things to fail 🙂

[Daniela-Mant-Tink]

Hi Morten,

I forwarded your request to Nordea and asked them to perform the API call. As soon as I receive some feedback, I'll let you know.

Best regards, Daniela

On Wed, Feb 14, 2024 at 3:40 PM Morten Zdrenka Christensen < @.***> wrote:

Thank you for the debug information 🙂 Could I also get you to try the following, from the template:

• Call https://debug.openbanking-sandbox.prod.lunar.tech including your full certificate chain and private key (eg. curl https://debug.openbanking-sandbox.prod.lunar.tech --cert your_full_certificate_chain.pem --key your_private_key.pem)
• Note the time of the call:

This will allow us to sanity-check what the certificate chain looks like when we receive the call. It's good to do a manual check of what you have provided above, but we have previously seen that e.g. proxies removed the certificates client-side before the call hit us, which causes things to fail 🙂

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-1943935555, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B56EHGYVBEZIQK76NFTYTTEFBAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBTHEZTKNJVGU . You are receiving this because you authored the thread.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[mzc-lunar]

Hello Daniela

We can see a succesful call to our debug endpoint yesterday using Nordea's certificates. Our mTLS setup uses shared components between the registration functionality and the PISP/AISP endpoints, so I would expect it to work if Nordea makes sure to use the same certs for the PISP/AISP endpoints as they did for the debug call they made yesterday 🙂

[Daniela-Mant-Tink]

Hi Morten,

Thanks a lot for the information, I'll double check this with Nordea. Of course, there is still a possibility that further questions arise. In this case, we'll get back to you. Probably not before Monday though.

Best regards, Daniela

On Fri, Feb 23, 2024 at 9:03 AM Morten Zdrenka Christensen < @.***> wrote:

Hello Daniela

We can see a succesful call to our debug endpoint yesterday using Nordea's certificates. Our mTLS setup uses shared components between the registration functionality and the PISP/AISP endpoints, so I would expect it to work if Nordea makes sure to use the same certs for the PISP/AISP endpoints as they did for the debug call they made yesterday 🙂

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-1960882420, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B55N3YD7IJFGOVYPCJ3YVBEM3AVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRQHA4DENBSGA . You are receiving this because you authored the thread.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi again Morten,

Nordea shouldn't have used a different cert pair for the call to the debug endpoint- so if I understood you correctly, their cert should be working, shouldn't it? I'm asking because our logs are still showing temporary errors, please see an example below:

Certificate chain used during registration: QWAC: -----BEGIN CERTIFICATE----- MIIIkjCCB3qgAwIBAgIQc3+2czJJuWEBiNfu223clDANBgkqhkiG9w0BAQsFADB3 MQswCQYDVQQGEwJFUzEZMBcGA1UEChMQRW50cnVzdCBFVSwgUy5MLjEYMBYGA1UE YRMPVkFURVMtQjgxMTg4MDQ3MTMwMQYDVQQDEypFbnRydXN0IENlcnRpZmljYXRp b24gQXV0aG9yaXR5IC0gRVMgUVdBQzIwHhcNMjMwNzEwMTI1NDQwWhcNMjQwNzA3 MTI1NDM4WjCBuDELMAkGA1UEBhMCRkkxETAPBgNVBAcTCEhlbHNpbmtpMRMwEQYL KwYBBAGCNzwCAQMTAkZJMRgwFgYDVQQKEw9Ob3JkZWEgQmFuayBBYnAxHTAbBgNV BA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwkyODU4Mzk0LTkxEzAR BgNVBAMTCm5vcmRlYS5jb20xHzAdBgNVBGETFlBTREZJLUZJTkZTQS0yODU4Mzk0 LTkwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDo0Ibh35dhmVMRWua3 O7++6S+F6cPJb3b5xm7kNwH5kUVpI+hA/JbI6SDz1VESG24SSCfMyPa71Skor7To P2gLmlCgMV0xzbi2OvHZXmFRn99JyPyKpkigHZJ3K4CIpq5Q9MOqy/q6YkwzAbfX e9r7O4sT6SKFjM3DoEYtJ9la4Zpqp7NTEXEm2gByf0treJLXR79pSPO4fJQJucvH ZT27oa0KvAPPP3aoZeSSc/cvueXDSfpMUyVq7t1/TRh8GHKxe/vdSYYtuLlr1tLj 20Xaov962yUMLR9l1QFe/AB08QhiEkXHBsd8lUQyicps333EjWcbIL+GOlhvyoC9 I2MjrOqy+5vxcxoTy6zODclK36/3oNUXltMZWUEiI2EGqcYdeuVCsEGQOy1mgR6J 8mIdNFSDzO0fXorhjdyNtnvadRV/zZq8MllQzUaoHjsUH4CBKHxaXIMFR6oCGqrl HV4B/oYyCZroblHjRziEpGFQXUX93dV+Gu5IRvhrwuzGIPUCAwEAAaOCBFYwggRS MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIdnFD7E8Pn261IBP9wIp1mYfo4MMB8G A1UdIwQYMBaAFEHPrisdYzvLTPWQRHm2WiSJ35KcMGkGCCsGAQUFBwEBBF0wWzAj BggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwNAYIKwYBBQUHMAKG KGh0dHA6Ly9haWEuZW50cnVzdC5uZXQvZXNxd2FjMi1jaGFpbi5jZXIwNQYDVR0f BC4wLDAqoCigJoYkaHR0cDovL2NybC5lbnRydXN0Lm5ldC9lc3F3YWMyY2EuY3Js MCYGBWeBDAMBBB0wGxMDUFNEEwJGSQwQRklORlNBLTI4NTgzOTQtOTCB7gYIKwYB BQUHAQMEgeEwgd4wCAYGBACORgEBMC0GBgQAjkYBBTAjMCEWG2h0dHBzOi8vd3d3 LmVudHJ1c3QubmV0L3JwYRMCZW4wEwYGBACORgEGMAkGBwQAjkYBBgMwgY0GBgQA gZgnAjCBgjBMMBEGBwQAgZgnAQMMBlBTUF9BSTARBgcEAIGYJwEBDAZQU1BfQVMw EQYHBACBmCcBBAwGUFNQX0lDMBEGBwQAgZgnAQIMBlBTUF9QSQwnRmlubmlzaCBG aW5hbmNpYWwgU3VwZXJ2aXNvcnkgQXV0aG9yaXR5DAlGSS1GSU5GU0EwJQYDVR0R BB4wHIIKbm9yZGVhLmNvbYIOd3d3Lm5vcmRlYS5jb20wDgYDVR0PAQH/BAQDAgWg MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBwBgNVHSAEaTBnMDgGC2CG SAGG+mwKAQwGMCkwJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LmVudHJ1c3QubmV0 L3JwYTAJBgcEAIvsQAEEMAwGCmCGSAGG+mwKAQIwBwYFZ4EMAQEwCQYHBACBmCcD ATCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUA7s3QZNXbGs7FXLedtM0TojKH Rny87N7DUUhZRnEftZsAAAGJP95L2QAABAMARjBEAiA+lIIaS/QRDsBWXv3AlWYO 6+yrfo3ZMaynXgZxy7qKUgIgXQDoemFykwp0ggXp5+nhA0jfRGz2FFWdoBGaIpR3 5UIAdQA/F0tP1yJHWJQdZRyEvg0S7ZA3fx+FauvBvyiF7PhkbgAAAYk/3kwfAAAE AwBGMEQCIDK6yR2KZelaavwi4LC14jpUl3oOZUmSJudi5hnpxDxHAiA34y/tc4sl e9qJA3qYWwykeGsbdo4+QEZNIzx6wAxY4gB3ADtTd3U+LbmAToswWwb+QDtn2E/D 9Me9AA0tcm/h+tQXAAABiT/eTCcAAAQDAEgwRgIhAL1d+MJL4JL52bPOe1iPPozO 9CQgZbLp/H7RrV3nH5hWAiEA36NgQW4iTEnzPQKH5zshp60gyJXtjbc8KLinAOo4 1G8wDQYJKoZIhvcNAQELBQADggEBAJzPqwmtcLFYvXmRQhgCM3ljyWB+qNw/sMCI GPiXjMgUY05rHUgIJsrDjiup3fEzSgxYVce6oBFYQCgbiFLsUpBMca99HrOJGpg9 VpTPaz+lLzEZWN3og4WnUyyWUga3V44SCBReAoDkcUw04lQ4seSnsGyJV3BSUUFR tPwwoDQRqWQA6AAVAI2u5ojiUTQU7VGhFjy85LmsBPkRw8Q+ulmuWDVCe6kz6u7k b9/ONn/6sKVJC6LplvlRIRwUkggNtpATcxTu4yzRajC7mujnjquGJ5Is211uOClH XlYvwrVTflHEVCFW7Oin28i41wiUznQkl+lNKGH+5CznlE8LF+g= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIE7jCCA9agAwIBAgIQeohyuGijWdqxsC7PT8lxjTANBgkqhkiG9w0BAQsFADCB vjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy MDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAG A1UEAxMpRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIw HhcNMjExMTE2MDAwMDAwWhcNMzAxMjAxMDAwMDAwWjB3MQswCQYDVQQGEwJFUzEZ MBcGA1UEChMQRW50cnVzdCBFVSwgUy5MLjEYMBYGA1UEYRMPVkFURVMtQjgxMTg4 MDQ3MTMwMQYDVQQDEypFbnRydXN0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0g RVMgUVdBQzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGsimN9toI gmnuoURLu7ZaRrvkHWib2DjdYClH772m8G3ikBL1S6KIBQCKe4GJfa5Oq0cGTzF2 wFWCH53N+hSWcE4idm7Ap1+8xeZwuGA/41CPb7/wQC3ycf3Nc40gYv4O3eEYJ5zn +Wm3Mln7GiFkwdX9/ZH6O6MaYaAZyV0KgctU5fbEfSdpWfnHLddwSoz0sstBr60G GPg+XSgJYd5x8mBkPgWj7Q58Y6B5s3hE4tzU0tGa8F8nrdilt/5DkYdVjqNw5GXJ SCqJvob5Cg7dbXXyLMaa1iD38wpDK+TUkuMLNpT58yR3DeSfcHrJxYdWb2cqQaB/ c3n3HVwhFwaVAgMBAAGjggEsMIIBKDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud DgQWBBRBz64rHWM7y0z1kER5tlokid+SnDAfBgNVHSMEGDAWgBRqciZ60B7vfec7 aVHUbI2fkBJmqzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9v Y3NwLmVudHJ1c3QubmV0MDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmwuZW50 cnVzdC5uZXQvZzJjYS5jcmwwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjA8BgNVHSAENTAzMDEGBFUdIAAwKTAnBggrBgEFBQcC ARYbaHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBhMA0GCSqGSIb3DQEBCwUAA4IB AQBbrJ0/YxbYyUsCg8PaWWfIl+97HM22qz8GcYx0r4kkzEc6QV6AgV6yy4XTaKXU xUL2wL6DeL/LfHFJOz82V3Y+8M5I5UC0KYyzY4Hivx6eX6ZHWzPSed+e45kJjqvP XXJlG1Znm3mhT5UzJ/nPDS8RRVKP97nuLnuIyzOYrYdfhteDfq0JmSRYQgArMYuI vmgVJESPg3PLYKPj1cyWRw5uE8eMOneXGrnCNxgqpyeRK17fWsozC5/4mlo7aOkm O010w9kXSxqmLa2kwyVLcOhznT+GYW3NE3lVf9h1qT0vGcKt496w6SYie7z+EEqB u9ZKfo9EqHIsC3sy2gdrUvPE -----END CERTIFICATE-----

Secrets are still present, at least the clientID: 9d95de7f-1d63-458a-83c8-69689901ace1

Latest logs timestamp: Wed, 28 Feb 2024 14:18:01 GMT

Debug information: Request URL:https://openbanking.prod.lunar.app/aisp-pisp/accounts

Request Method:GET

Status Code:400

Date:Wed, 28 Feb 2024 14:18:01 GMT

X-Request-ID:c3b00325-2dd2-4f61-9087-fa36c03fb1b6

Response:

400 Bad Request

The SSL certificate error

---

nginx

So whatever the error is, it's still present. Please get back to me with an advise how to fix it. I need to admit though, that I'm not sure if Nordea has also re-registered.

Best regards, Daniela

[mzc-lunar]

Hi Daniela. Sorry for the long response on this. I'll double check the certificates we trust for SSL to see what it could be. The team is currently looking into other high-priority tasks, so expect slightly prolonged response times, but I will do my best to help you get to the bottom of this 🙂

[Daniela-Mant-Tink]

Hi Morten,

Thanks for the information. I'll inform Nordea about the situation. Please get back to me as soon as you can.

Best regards, Daniela

On Tue, Mar 5, 2024 at 6:07 PM Morten Zdrenka Christensen < @.***> wrote:

Hi Daniela. Sorry for the long response on this. I'll double check the certificates we trust for SSL to see what it could be. The team is currently looking into other high-priority tasks, so expect slightly prolonged response times, but I will do my best to help you get to the bottom of this 🙂

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-1979242784, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B54XOG2E3ZD7AZDECI3YWX3UFAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZZGI2DENZYGQ . You are receiving this because you authored the thread.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi again,

Any update from your end available?

Best, Daniela

[Daniela-Mant-Tink]

Hi again,

Any update from your end available?

Best, Daniela

On Wed, Mar 6, 2024 at 11:25 AM Daniela Manteuffel < @.***> wrote:

Hi Morten,

Thanks for the information. I'll inform Nordea about the situation. Please get back to me as soon as you can.

Best regards, Daniela

On Tue, Mar 5, 2024 at 6:07 PM Morten Zdrenka Christensen < @.***> wrote:

Hi Daniela. Sorry for the long response on this. I'll double check the certificates we trust for SSL to see what it could be. The team is currently looking into other high-priority tasks, so expect slightly prolonged response times, but I will do my best to help you get to the bottom of this 🙂

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-1979242784, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B54XOG2E3ZD7AZDECI3YWX3UFAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZZGI2DENZYGQ . You are receiving this because you authored the thread.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[mzc-lunar]

Hi Daniela

Apologies for the prolonged response-time. I finally had time to sit down and triple-checked "the math" on this. My results, disappointing as they are, is that I still can only explain this issue with the explanation that something is wrong in Nordea's end. To sum up my conclusions:

• We trust their root certificate, both in the client management side, that they have gone through, and in the PISP/AISP endpoint that they cannot get through.
• The certs you have included in this ticket match the leaf certificate and the intermediate certificate used during the call to the debug endpoint, which was successful. As such, I would expect calls used with this leaf and intermediate certificates to work with the PISP/AISP endpoint as well. The only difference between what you have included in this ticket and the information I have from the debug endpoint is the fact that the root certificate was also included in the call to the debug endpoint. However, this should not be necessary as we have that in our trust chain.

We can't see much logging from the "real" calls to the PISP/AISP endpoints as the connection is broken during the TLS handshake, meaning we don't have a lot to work with on that front. That's why we have made the debug endpoint for debugging these types of issues, so I hope that we can get Nordea to check everything in their end.

My best guesses (without knowing anything about their setup) is that it could be a config error of some kind. I assume the call to the debug endpoint was made manually using cURL or something similar and the failing calls are made from a service. Are we absolutely sure those two scenarios are not different in one way or another? We have previously seen issues with partners that turned out to be a proxy in the partner's infrastructure that stripped the certs on the way out of their infrastructure. Could it be something like that?

If nothing comes from them looking through things in their end again, I would be interested to understand how the call to the debug endpoint was made and how the failing calls have been made to understand if there could be a significant difference.

[Daniela-Mant-Tink]

Hi Morten,

Thanks super much for this very detailed investigation summary, this is very appreciated! I'll forward your answer to Nordea immediately and then we'll see what they say. I'll let you know as soon as I can.

Thanks again and best regards, Daniela

On Wed, Mar 20, 2024 at 10:20 AM Morten Zdrenka Christensen < @.***> wrote:

Hi Daniela

Apologies for the prolonged response-time. I finally had time to sit down and triple-checked "the math" on this. My results, disappointing as they are, is that I still can only explain this issue with the explanation that something is wrong in Nordea's end. To sum up my conclusions:

• We trust their root certificate, both in the client management side, that they have gone through, and in the PISP/AISP endpoint that they cannot get through.
• The certs you have included in this ticket match the leaf certificate and the intermediate certificate used during the call to the debug endpoint, which was successful. As such, I would expect calls used with this leaf and intermediate certificates to work with the PISP/AISP endpoint as well. The only difference between what you have included in this ticket and the information I have from the debug endpoint is the fact that the root certificate was also included in the call to the debug endpoint. However, this should not be necessary as we have that in our trust chain.

We can't see much logging from the "real" calls to the PISP/AISP endpoints as the connection is broken during the TLS handshake, meaning we don't have a lot to work with on that front. That's why we have made the debug endpoint for debugging these types of issues, so I hope that we can get Nordea to check everything in their end.

My best guesses (without knowing anything about their setup) is that it could be a config error of some kind. I assume the call to the debug endpoint was made manually using cURL or something similar and the failing calls are made from a service. Are we absolutely sure those two scenarios are not different in one way or another? We have previously seen issues with partners that turned out to be a proxy in the partner's infrastructure that stripped the certs on the way out of their infrastructure. Could it be something like that?

If nothing comes from them looking through things in their end again, I would be interested to understand how the call to the debug endpoint was made and how the failing calls have been made to understand if there could be a significant difference.

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2009101357, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B547T275BPM62FIKAULYZFIHLAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBZGEYDCMZVG4 . You are receiving this because you authored the thread.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi again Morten,

I've meanwhile talked to our developers and it seems the exact same issue that Nordea is currently experiencing. Please see a very recent random example for nordea below:

Request URL:https://openbanking.prod.lunar.app/aisp-pisp/accounts

Request Method:GET

Status Code:400

Date:Tue, 26 Mar 2024 10:43:23 GMT

X-Request-ID:923a1f72-0a7d-41a7-b248-d5ffa4ea0aa8

Response:

400 Bad Request

The SSL certificate error

---

nginx

Furthermore would I like to forward a screenshot from an earlier conversation between a colleague of mine and Lunar: [image: Screenshot 2024-03-26 at 10.29.32.png]

This snippet indicates, there was an issue on your end that you were able to fix. The culprit seems to have been the QCStatement parser, see also this conversation snippet:

[image: Screenshot 2024-03-26 at 10.31.24.png]

I also tried to compare Tinks and Nordeas QWAC, I could only see differences with the key size. Nordea: 3072 bits TInk: 2048 bits

Can you please check the error again, taking the above information into consideration. Is the guy who helped Tink, Peter Steffensen, perhaps even with Lunar and would be able to help?

Thanks a again and best regards, Daniela

On Thu, Mar 21, 2024 at 9:44 AM Daniela Manteuffel < @.***> wrote:

Hi Morten,

Thanks super much for this very detailed investigation summary, this is very appreciated! I'll forward your answer to Nordea immediately and then we'll see what they say. I'll let you know as soon as I can.

Thanks again and best regards, Daniela

On Wed, Mar 20, 2024 at 10:20 AM Morten Zdrenka Christensen < @.***> wrote:

Hi Daniela

Apologies for the prolonged response-time. I finally had time to sit down and triple-checked "the math" on this. My results, disappointing as they are, is that I still can only explain this issue with the explanation that something is wrong in Nordea's end. To sum up my conclusions:

• We trust their root certificate, both in the client management side, that they have gone through, and in the PISP/AISP endpoint that they cannot get through.
• The certs you have included in this ticket match the leaf certificate and the intermediate certificate used during the call to the debug endpoint, which was successful. As such, I would expect calls used with this leaf and intermediate certificates to work with the PISP/AISP endpoint as well. The only difference between what you have included in this ticket and the information I have from the debug endpoint is the fact that the root certificate was also included in the call to the debug endpoint. However, this should not be necessary as we have that in our trust chain.

We can't see much logging from the "real" calls to the PISP/AISP endpoints as the connection is broken during the TLS handshake, meaning we don't have a lot to work with on that front. That's why we have made the debug endpoint for debugging these types of issues, so I hope that we can get Nordea to check everything in their end.

My best guesses (without knowing anything about their setup) is that it could be a config error of some kind. I assume the call to the debug endpoint was made manually using cURL or something similar and the failing calls are made from a service. Are we absolutely sure those two scenarios are not different in one way or another? We have previously seen issues with partners that turned out to be a proxy in the partner's infrastructure that stripped the certs on the way out of their infrastructure. Could it be something like that?

If nothing comes from them looking through things in their end again, I would be interested to understand how the call to the debug endpoint was made and how the failing calls have been made to understand if there could be a significant difference.

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2009101357, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B547T275BPM62FIKAULYZFIHLAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBZGEYDCMZVG4 . You are receiving this because you authored the thread.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[mzc-lunar]

@Daniela-Mant-Tink

I've meanwhile talked to our developers and it seems the exact same issue that Nordea is currently experiencing. Please see a very recent random example for nordea below.

Is the issue Tink is facing a consistent one or an intermittent one? I would assume we had heard about it if Tink was entirely unable to connect to Lunar?

Also, I can't see the screenshot you are forwarding.

[Daniela-Mant-Tink]

Hi Morten,

Apologies if I wasn't clear enough in my last email. But please note that I didn't want to inform you about an issue for Tink. I want you to help us resolve an issue for Nordea (only).

I just used the Tink case as an example because we received the same error when we wanted to register eIDAS certs some years ago (that's what the first screenshot was showing). This was the error:

Request URL:https://openbanking.prod.lunar.app/aisp-pisp/accounts

Request Method:GET

Status Code:400

Date:Tue, 26 Mar 2024 10:43:23 GMT

X-Request-ID:923a1f72-0a7d-41a7-b248-d5ffa4ea0aa8

Response:

400 Bad Request

The SSL certificate error

---

nginx

Nordea is seeing exactly the same error right now. However, for Tink it's not an error anymore because you, Lunar, fixed it. Someone named Peter Steffensen confirmed the error (that's what the second screenshot was showing).

Can you please do for Nordea what you once did for Tink? Something related to the QCStatement parser?

Thanks a lot and kind regards, Daniela

PS: I attached the two screenshots, hope you can see them now.

On Wed, Apr 3, 2024 at 9:53 AM Morten Zdrenka Christensen < @.***> wrote:

@Daniela-Mant-Tink https://github.com/Daniela-Mant-Tink

I've meanwhile talked to our developers and it seems the exact same issue that Nordea is currently experiencing. Please see a very recent random example for nordea below.

Is the issue Tink is facing a consistent one or an intermittent one? I would assume we had heard about it if Tink was entirely unable to connect to Lunar?

Also, I can't see the screenshot you are forwarding.

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2033806911, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B532CWWAO2KCBLT3DLDY3OYPTAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZTHAYDMOJRGE . You are receiving this because you were mentioned.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[mzc-lunar]

Ahh okay, then I understand. I still cannot see your attached pictures, but I think I understand nonetheless. From what I remember from that case, Tink uncovered an issue in our parsing of the QWAC statements, which we fixed. You uncovered the issue during registration and not when calling the /pisp-aisp/accounts endpoint. Since this was a bug in our registration endpoint when validating certificates I don’t believe it’s relevant here as Nordea has already gone through registration with us.

To reiterate, we have the situation:

1. Nordea have registered with us
2. Nordea have successfully called our debug endpoint, made for debugging SSL errors. This call allowed me to check what cert chain they were using during the debug call. This chain matches the certs you have provided in this ticket.
3. Nordea gets HTTP 400 SSL error when calling /pisp-aisp/accounts. As this endpoint is a production endpoint, I am not able to dig into logs that show exactly why the TLS handshake fails, but it does fail.

I have checked multiple times that the certificates we trust in 1. and 2. match what we trust in 3. So I cannot from our end explain why 1. and 2. works and 3. does not work. Did you get any information as to how Nordea made the successful calls and how they are making the unsuccessful calls? As I have said previously, I suspect that "something" is different between the two cases in their end.

[Daniela-Mant-Tink]

Hi Morten,

First of all, you got it correctly, even without the pictures. Maybe they were blocked for security reasons?

Anyhow, thanks a lot for your analysis, it makes sense to me and I'm going to present it to Nordea and ask them about potential differences while calling the endpoints. I'll get back to you as soon as I receive a reply. Please don't close the case beforehand, even if it takes a bit of time for Nordea to reply.

Best regards, Daniela

On Mon, Apr 8, 2024 at 12:52 PM Morten Zdrenka Christensen < @.***> wrote:

Ahh okay, then I understand. I still cannot see your attached pictures, but I think I understand nonetheless. From what I remember from that case, Tink uncovered an issue in our parsing of the QWAC statements, which we fixed. You uncovered the issue during registration and not when calling the /pisp-aisp/accounts endpoint. Since this was a bug in our registration endpoint when validating certificates I don’t believe it’s relevant here as Nordea has already gone through registration with us.

To reiterate, we have the situation:

1. Nordea have registered with us
2. Nordea have successfully called our debug endpoint, made for debugging SSL errors. This call allowed me to check what cert chain they were using during the debug call. This chain matches the certs you have provided in this ticket.
3. Nordea gets HTTP 400 SSL error when calling /pisp-aisp/accounts. As this endpoint is a production endpoint, I am not able to dig into logs that show exactly why the TLS handshake fails, but it does fail.

I have checked multiple times that the certificates we trust in 1. and 2. match what we trust in 3. So I cannot from our end explain why 1. and 2. works and 3. does not work. Did you get any information as to how Nordea made the successful calls and how they are making the unsuccessful calls? As I have said previously, I suspect that "something" is different between the two cases in their end.

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2042439690, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B5Y7YJHCDWB2WLL6O3LY4JZIDAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBSGQZTSNRZGA . You are receiving this because you were mentioned.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi again Morten,

Unfortunately, Nordea doesn't exactly know anymore if there were differences between the performed calls.

To get this resolved, we'd like to ask you if you'd be ready to join a common meeting with Tink (me) and a Nordea representative if they're also ready (we'll of course ask them)? Would it be possible/make sense from your perspective to let Norde re-register the certificates so you can see what they do in live action? Or don't you support re-registration? Please let me know.

Best regards, Daniela

On Tue, Apr 9, 2024 at 9:09 AM Daniela Manteuffel < @.***> wrote:

Hi Morten,

First of all, you got it correctly, even without the pictures. Maybe they were blocked for security reasons?

Anyhow, thanks a lot for your analysis, it makes sense to me and I'm going to present it to Nordea and ask them about potential differences while calling the endpoints. I'll get back to you as soon as I receive a reply. Please don't close the case beforehand, even if it takes a bit of time for Nordea to reply.

Best regards, Daniela

On Mon, Apr 8, 2024 at 12:52 PM Morten Zdrenka Christensen < @.***> wrote:

Ahh okay, then I understand. I still cannot see your attached pictures, but I think I understand nonetheless. From what I remember from that case, Tink uncovered an issue in our parsing of the QWAC statements, which we fixed. You uncovered the issue during registration and not when calling the /pisp-aisp/accounts endpoint. Since this was a bug in our registration endpoint when validating certificates I don’t believe it’s relevant here as Nordea has already gone through registration with us.

To reiterate, we have the situation:

1. Nordea have registered with us
2. Nordea have successfully called our debug endpoint, made for debugging SSL errors. This call allowed me to check what cert chain they were using during the debug call. This chain matches the certs you have provided in this ticket.
3. Nordea gets HTTP 400 SSL error when calling /pisp-aisp/accounts. As this endpoint is a production endpoint, I am not able to dig into logs that show exactly why the TLS handshake fails, but it does fail.

I have checked multiple times that the certificates we trust in 1. and 2. match what we trust in 3. So I cannot from our end explain why 1. and 2. works and 3. does not work. Did you get any information as to how Nordea made the successful calls and how they are making the unsuccessful calls? As I have said previously, I suspect that "something" is different between the two cases in their end.

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2042439690, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B5Y7YJHCDWB2WLL6O3LY4JZIDAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBSGQZTSNRZGA . You are receiving this because you were mentioned.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi again,

Any input about our last comment from April 17th? This issue is not resolved yet.

Best regards, Daniela

On Wed, Apr 17, 2024 at 2:09 PM Daniela Manteuffel < @.***> wrote:

Hi again Morten,

Unfortunately, Nordea doesn't exactly know anymore if there were differences between the performed calls.

To get this resolved, we'd like to ask you if you'd be ready to join a common meeting with Tink (me) and a Nordea representative if they're also ready (we'll of course ask them)? Would it be possible/make sense from your perspective to let Norde re-register the certificates so you can see what they do in live action? Or don't you support re-registration? Please let me know.

Best regards, Daniela

On Tue, Apr 9, 2024 at 9:09 AM Daniela Manteuffel < @.***> wrote:

Hi Morten,

First of all, you got it correctly, even without the pictures. Maybe they were blocked for security reasons?

Anyhow, thanks a lot for your analysis, it makes sense to me and I'm going to present it to Nordea and ask them about potential differences while calling the endpoints. I'll get back to you as soon as I receive a reply. Please don't close the case beforehand, even if it takes a bit of time for Nordea to reply.

Best regards, Daniela

On Mon, Apr 8, 2024 at 12:52 PM Morten Zdrenka Christensen < @.***> wrote:

Ahh okay, then I understand. I still cannot see your attached pictures, but I think I understand nonetheless. From what I remember from that case, Tink uncovered an issue in our parsing of the QWAC statements, which we fixed. You uncovered the issue during registration and not when calling the /pisp-aisp/accounts endpoint. Since this was a bug in our registration endpoint when validating certificates I don’t believe it’s relevant here as Nordea has already gone through registration with us.

To reiterate, we have the situation:

1. Nordea have registered with us
2. Nordea have successfully called our debug endpoint, made for debugging SSL errors. This call allowed me to check what cert chain they were using during the debug call. This chain matches the certs you have provided in this ticket.
3. Nordea gets HTTP 400 SSL error when calling /pisp-aisp/accounts. As this endpoint is a production endpoint, I am not able to dig into logs that show exactly why the TLS handshake fails, but it does fail.

I have checked multiple times that the certificates we trust in 1. and

2. match what we trust in 3. So I cannot from our end explain why 1. and 2. works and 3. does not work. Did you get any information as to how Nordea made the successful calls and how they are making the unsuccessful calls? As I have said previously, I suspect that "something" is different between the two cases in their end.

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2042439690, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B5Y7YJHCDWB2WLL6O3LY4JZIDAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBSGQZTSNRZGA . You are receiving this because you were mentioned.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[mzc-lunar]

Hi Daniela, sorry for the silence this past week. I have sent you a mail.

[Daniela-Mant-Tink]

Hi again Morten,

As promised in our call with Nordea on Wednesday last week, I aligned with our developers to double-check the case again. I've been asked to double-check one thing with you. At the beginning of April, we figured out that Nordea received the error when calling the /pisp-aisp/accounts endpoint. This is still happening, see this log example from today:

Request URL:https://openbanking.prod.lunar.app/aisp-pisp/accounts

Request Method:GET

Status Code:400

Date:Mon, 13 May 2024 13:17:58 GMT

X-Request-ID:8231dcf0-a0b7-4727-946a-1b09118a1f7d

Response:

400 Bad Request

The SSL certificate error

---

nginx

In this recent conversation, our developers pointed out that also Tink actually received this error when calling the /pisp-aisp/accounts endpoint after a (successful?) registration. So, we experienced exactly the same issue as Nordea. To recap, you fixed this issue (with the QCStatement parser) on your end. Can you please double-check if you can do anything for Nordea?

Thanks for your reply and best regards, Daniela

On Thu, Apr 25, 2024 at 12:55 PM Morten Zdrenka Christensen < @.***> wrote:

Hi Daniela, sorry for the silence this past week. I have sent you a mail.

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2076909474, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B5YXCO7DIQTMFWXCOALY7DOLFAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZWHEYDSNBXGQ . You are receiving this because you were mentioned.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi again,

Apologies for all the pings but since the next call with Nordea happens tomorrow, I was wondering if you've already had the chance to have a look at my message from May 13th. Every new information could help to drive this case further.

Best regards, Daniela

On Mon, May 13, 2024 at 4:35 PM Daniela Manteuffel < @.***> wrote:

Hi again Morten,

As promised in our call with Nordea on Wednesday last week, I aligned with our developers to double-check the case again. I've been asked to double-check one thing with you. At the beginning of April, we figured out that Nordea received the error when calling the /pisp-aisp/accounts endpoint. This is still happening, see this log example from today:

Request URL:https://openbanking.prod.lunar.app/aisp-pisp/accounts

Request Method:GET

Status Code:400

Date:Mon, 13 May 2024 13:17:58 GMT

X-Request-ID:8231dcf0-a0b7-4727-946a-1b09118a1f7d

Response:

400 Bad Request

The SSL certificate error

---

nginx

In this recent conversation, our developers pointed out that also Tink actually received this error when calling the /pisp-aisp/accounts endpoint after a (successful?) registration. So, we experienced exactly the same issue as Nordea. To recap, you fixed this issue (with the QCStatement parser) on your end. Can you please double-check if you can do anything for Nordea?

Thanks for your reply and best regards, Daniela

On Thu, Apr 25, 2024 at 12:55 PM Morten Zdrenka Christensen < @.***> wrote:

Hi Daniela, sorry for the silence this past week. I have sent you a mail.

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2076909474, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B5YXCO7DIQTMFWXCOALY7DOLFAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZWHEYDSNBXGQ . You are receiving this because you were mentioned.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[mzc-lunar]

We have heard out of band from Nordea that the issue is now fixed

[Daniela-Mant-Tink]

Hi to everyone,

That would be great! @Seppänen, Janne M @.***>, can you clearly confirm that?

Best regards, Daniela

On Fri, May 17, 2024 at 8:55 AM Morten Zdrenka Christensen < @.***> wrote:

We have heard out of band from Nordea that the issue is now fixed

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2116877443, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B53Y3MULAKLF6PXRIFLZCWSUTAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJWHA3TONBUGM . You are receiving this because you were mentioned.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi again @Seppänen, Janne M @.***>,

Please let me know if there is any further action needed, either from Lunar's side or from your side. If the issue can be considered fixed, please confirm, I'll then close the Tink support case, too.

Thanks and best regards, Daniela

On Fri, May 17, 2024 at 9:21 AM Daniela Manteuffel < @.***> wrote:

Hi to everyone,

That would be great! @Seppänen, Janne M @.***>, can you clearly confirm that?

Best regards, Daniela

On Fri, May 17, 2024 at 8:55 AM Morten Zdrenka Christensen < @.***> wrote:

We have heard out of band from Nordea that the issue is now fixed

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2116877443, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B53Y3MULAKLF6PXRIFLZCWSUTAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJWHA3TONBUGM . You are receiving this because you were mentioned.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi,

Timo told me that at least one customer has successfully added Lunar, so I think it is now working. But since it’s Tink who actually calls Lunar, they should see better if the calls are successful now or not.

Janne

Confidential

From: Daniela Manteuffel @.> Sent: Wednesday, May 22, 2024 12:33 PM To: lunarway/openbanking @.>; Seppänen, Janne M @.> Cc: lunarway/openbanking @.>; Mention @.***> Subject: Re: [lunarway/openbanking] Nordea eIDAS registration successful? (Issue #65)

CAUTION: This email originated from outside of Nordea. Please be careful when clicking links or opening attachments.

Hi again @Seppänen, Janne @.***>,

Please let me know if there is any further action needed, either from Lunar's side or from your side. If the issue can be considered fixed, please confirm, I'll then close the Tink support case, too.

Thanks and best regards, Daniela

On Fri, May 17, 2024 at 9:21 AM Daniela Manteuffel @.**@.>> wrote: Hi to everyone,

That would be great! @Seppänen, Janne @.***>, can you clearly confirm that?

Best regards, Daniela

On Fri, May 17, 2024 at 8:55 AM Morten Zdrenka Christensen @.**@.>> wrote:

We have heard out of band from Nordea that the issue is now fixed

— Reply to this email directly, view it on GitHubhttps://github.com/lunarway/openbanking/issues/65#issuecomment-2116877443, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARR2B53Y3MULAKLF6PXRIFLZCWSUTAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJWHA3TONBUGM. You are receiving this because you were mentioned.Message ID: @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@.**@.>

[Image removed by sender.] Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.comhttps://tink.com/

T&Cs & Privacy Policieshttps://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@.**@.>

[Image removed by sender.] Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.comhttps://tink.com/

T&Cs & Privacy Policieshttps://tink.com/privacy-policies/

[Daniela-Mant-Tink]

Hi again,

I've checked some logs again and I can, indeed, see updating credentials now. I have to admit there are still many errors (AUTH and TEMP), but those should no longer be eIDAS related. I'll go ahead and close the ticket.

Thanks to everyone for your time, effort and patience.

Best regards, Daniela

On Wed, May 22, 2024 at 12:29 PM Seppänen, Janne M < @.***> wrote:

Hi,

Timo told me that at least one customer has successfully added Lunar, so I think it is now working. But since it’s Tink who actually calls Lunar, they should see better if the calls are successful now or not.

Janne

Confidential From: Daniela Manteuffel @.> Sent: Wednesday, May 22, 2024 12:33 PM To: lunarway/openbanking < @.>; Seppänen, Janne M @.> Cc: lunarway/openbanking @.>; Mention < @.**> Subject:* Re: [lunarway/openbanking] Nordea eIDAS registration successful? (Issue #65)

• CAUTION:* This email originated from outside of Nordea. Please be careful when clicking links or opening attachments.

Hi again @Seppänen, Janne M @.***>,

Please let me know if there is any further action needed, either from Lunar's side or from your side. If the issue can be considered fixed, please confirm, I'll then close the Tink support case, too.

Thanks and best regards, Daniela

On Fri, May 17, 2024 at 9:21 AM Daniela Manteuffel < @.***> wrote:

Hi to everyone,

That would be great! @Seppänen, Janne M @.***>, can you clearly confirm that?

Best regards, Daniela

On Fri, May 17, 2024 at 8:55 AM Morten Zdrenka Christensen < @.***> wrote:

We have heard out of band from Nordea that the issue is now fixed

— Reply to this email directly, view it on GitHub https://github.com/lunarway/openbanking/issues/65#issuecomment-2116877443, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARR2B53Y3MULAKLF6PXRIFLZCWSUTAVCNFSM6AAAAABCUMBSQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJWHA3TONBUGM . You are receiving this because you were mentioned.[image: Image removed by sender.]Message ID: <lunarway/openbanking/issues/65/ @.***>

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

[image: Image removed by sender.] Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

[image: Image removed by sender.] Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/

--

Daniela Manteuffel

Principal Technical Support Engineer

+46 72 601 17 44

@. @.>

Tink AB

Vasagatan 11

111 20 Stockholm, Sweden

tink.com

T&Cs & Privacy Policies https://tink.com/privacy-policies/