403: Forbidden when registering for prod environment

facundofederico commented 1 month ago

We are registering with a new EC certificate provided by https://eidas.ec.europa.eu/efda/tl-browser/#/screen/tl/HU/2/14. I have 3 files:

leaf.pem (the client certificate)
int-root.pem (intermediate and root certificates)
privatekey.pem (certificate key)

The certificates are the following:

All this files have been checked and have the correct format.

I'm making the following call using wget 1.21.4: wget.exe --no-check-certificate --method=POST --body-data="{\"redirectUris\":[\"https://localhost:5011/api/callback/aisp\",\"https://localhost:5011/api/callback/pisp\",\"https://[name]/api/callback/aisp\",\"https://[name]/api/callback/pisp\"],\"roles\":[\"PSP_AI\",\"PSP_PI\"],\"name\":\"[name]\"}" --header="Content-Type: application/json" --certificate="C:\...\ec_certs\leaf.pem" --ca-certificate="C:\...\ec_certs\int-root.pem" --private-key="C:\...\ec_certs\privatekey.pem" --secure-protocol=TLSv1_3 --debug https://tpp.openbanking.prod.lunar.tech/tpp

And getting this response:

DEBUG output created by Wget 1.21.4 on mingw32.

Reading HSTS entries from C:\Users\FacundoFederico/.wget-hsts
URI encoding = 'CP1252'
converted 'https://tpp.openbanking.prod.lunar.tech/tpp' (CP1252) -> 'https://tpp.openbanking.prod.lunar.tech/tpp' (UTF-8)
Converted file name 'tpp' (UTF-8) -> 'tpp' (CP1252)
--2024-08-13 14:00:50--  https://tpp.openbanking.prod.lunar.tech/tpp
Resolving tpp.openbanking.prod.lunar.tech (tpp.openbanking.prod.lunar.tech)... seconds 0,00, 52.214.76.210, 52.50.173.138, 34.246.164.191
Caching tpp.openbanking.prod.lunar.tech => 52.214.76.210 52.50.173.138 34.246.164.191
Connecting to tpp.openbanking.prod.lunar.tech (tpp.openbanking.prod.lunar.tech)|52.214.76.210|:443... seconds 0,00, connected.
Created socket 3.
Releasing 0x00000000fcbfe740 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000fcbfef80
certificate:
  subject: CN=tpp.openbanking.prod.lunar.tech
  issuer:  CN=R11,O=Let's Encrypt,C=US
WARNING: cannot verify tpp.openbanking.prod.lunar.tech's certificate, issued by 'CN=R11,O=Let\'s Encrypt,C=US':
  Unable to locally verify the issuer's authority.

---request begin---
POST /tpp HTTP/1.1
Host: tpp.openbanking.prod.lunar.tech
User-Agent: Wget/1.21.4
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 264

---request end---
[BODY data: {"redirectUris":["https://localhost:5011/api/callback/aisp","https://localhost:5011/api/callback/pisp","https://[name]/api/callback/aisp","https://[name]/api/callback/pisp"],"roles":["PSP_AI","PSP_PI"],"name":"[name]"}]
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 403 Forbidden
Date: Tue, 13 Aug 2024 12:00:50 GMT
Content-Length: 0

---response end---
403 Forbidden
Registered socket 3 for persistent reuse.
] done.
2024-08-13 14:00:51 ERROR 403: Forbidden.

I'm making the same call to the debug endpoint and getting a success:

DEBUG output created by Wget 1.21.4 on mingw32.

Reading HSTS entries from C:\Users\FacundoFederico/.wget-hsts
URI encoding = 'CP1252'
converted 'https://debug.openbanking-sandbox.prod.lunar.tech' (CP1252) -> 'https://debug.openbanking-sandbox.prod.lunar.tech' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252)
--2024-08-13 14:31:35--  https://debug.openbanking-sandbox.prod.lunar.tech/
Resolving debug.openbanking-sandbox.prod.lunar.tech (debug.openbanking-sandbox.prod.lunar.tech)... seconds 0,00, 52.50.173.138, 52.214.76.210, 34.246.164.191
Caching debug.openbanking-sandbox.prod.lunar.tech => 52.50.173.138 52.214.76.210 34.246.164.191
Connecting to debug.openbanking-sandbox.prod.lunar.tech (debug.openbanking-sandbox.prod.lunar.tech)|52.50.173.138|:443... seconds 0,00, connected.
Created socket 3.
Releasing 0x000000009066dbf0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x000000009066efa0
certificate:
  subject: CN=debug.openbanking-sandbox.prod.lunar.tech
  issuer:  CN=R11,O=Let's Encrypt,C=US
WARNING: cannot verify debug.openbanking-sandbox.prod.lunar.tech's certificate, issued by 'CN=R11,O=Let\'s Encrypt,C=US':
  Unable to locally verify the issuer's authority.

---request begin---
POST / HTTP/1.1
Host: debug.openbanking-sandbox.prod.lunar.tech
User-Agent: Wget/1.21.4
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 264

---request end---
[BODY data: {"redirectUris":["https://localhost:5011/api/callback/aisp","https://localhost:5011/api/callback/pisp","https://staging-api.symblepay.io/api/callback/aisp","https://staging-api.symblepay.io/api/callback/pisp"],"roles":["PSP_AI","PSP_PI"],"name":"stagin.symblepay"}]
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Tue, 13 Aug 2024 12:31:34 GMT
Content-Length: 22
Content-Type: text/plain; charset=utf-8

---response end---
200 OK
Registered socket 3 for persistent reuse.
URI content encoding = 'utf-8'
Length: 22 [text/plain]
Saving to: 'index.html'

     0K                                                       100% 16,1M=0s

2024-08-13 14:31:35 (16,1 MB/s) - 'index.html' saved [22/22]

The returned index.html file contains the text TLS chain was verified

tmablunar commented 1 month ago

Thank you for reporting this. We will look into it as soon as possible.

tmablunar commented 3 weeks ago

@facundofederico we believe we have fixed the issue. Please try again.

facundofederico commented 3 weeks ago

It seems to have worked! Thank you!

tmablunar commented 3 weeks ago

Good to hear. Please get back to us should you experience further problems.

Closing the issue.

facundofederico commented 3 weeks ago

I'm attempting to start a domestic payment and getting a 500 error.

This is the request:

Method: POST, RequestUri: 'https://openbanking.prod.lunar.app/aisp-pisp/payments/domestic-credit-transfer', Version: 1.1, Content: System.Net.Http.StringContent, Headers:
{
  Accept: application/json
  Authorization: Bearer ory_at_ez0[...]d_g
  traceparent: 00-4d6315ef5f1ed78aa8dafdd9bf735aeb-2f98500f0af8c456-01
  Content-Type: application/json
  Content-Length: 328
}

This is the body:

{
"redirectUrl":"https://localhost:5011/api/callback/pisp",
"accountId":"4ca[...]13a",
"recipientBBAN":"**************",
"amount":36.75,
"currency":"DKK",
"instant":true,
"message":"andel - ID: 0[...]d",
"title":"0[...]d - [...]",
"date":"2024-08-19"
}

I checked the endpoint parameters limits and the request seems fine. I would like to know if the title has any unspecified limit, since it's pretty long (75 characters).

Crevil commented 3 weeks ago

Linking https://github.com/lunarway/openbanking/issues/57 here as the last question looks to be caused by the same.

lunarway / openbanking

403: Forbidden when registering for prod environment #78