New Member
Posts: 8
Registered: ‎09-12-2018
Solutions: 1

API empty answer after server IP change

Hi, new here.

 

I'm setting up a UCRM server and using the API to load our existing customers into it. Everything was working fine until we had to move the server from location and hence change its network configuration. I updated the server IP in System -> Settings to the new address, but now when accessing UCRM through the API I get an empty answer. For example, trying to get the customer's list, even with wrong credentials returns nothing:

 

 

curl --include --header "Content-Type: application/json" --header "X-Auth-App-Key: appKeyString" 'http://xxx.xxx.xxx.xxx/api/v1.0/clients?userIdent=&customAttributeKey=&customAttributeValue=&order=&direction='
HTTP/1.1 302 Found
Location: https://xxx.xxx.xxx.xxx:443/api/v1.0/clients?userIdent=&customAttributeKey=&customAttributeValue=&order=&direction=
Date: Wed, 13 Mar 2019 17:52:55 GMT
Content-Length: 5
Content-Type: text/plain; charset=utf-8

 

With a local run using a backup file from that server everything works (even without changing the server IP):

 

curl --include --header "Content-Type: application/json" --header "X-Auth-App-Key: appKeyString" 'http://192.168.1.103/api/v1.0/clients?userIdent=&customAttributeKey=&customAttributeValue=&order=&direction='
HTTP/1.1 401 Unauthorized
Server: nginx
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
X-Clacks-Overhead: GNU Terry Pratchett
Cache-Control: max-age=0, must-revalidate, private
Date: Wed, 13 Mar 2019 17:56:25 GMT

{"code":401,"message":"Authentication Required"}

And of course with the correct key it returns all the customers.This started happening on 2.14.8 and stills happens on 2.15.0

 

Any ideas what is wrong ??

 

Thanks in advance.

Ubiquiti Employee
Posts: 1,476
Registered: ‎03-21-2016
Kudos: 244
Solutions: 161

Re: API empty answer after server IP change

Hello @jbaptiste, it does not return nothing. It returns a 302 response, which is a redirect. You're sending a plain http request and are getting back a redirect to secure https. Use the https URL and everything will work fine.

New Member
Posts: 8
Registered: ‎09-12-2018
Solutions: 1

Re: API empty answer after server IP change

Ahhh you are right !!

I did not had taken that detail into account, I did notice that when using https there was an error with the self signed cert so I was trying to get it to work on http first. The problem was with the load balancer that was in front of ucrm, in the previous location was using letsencrypt certificates but after the server was moved to the new location certificates could not be renewed as it it doesnt have access from the internet, and the load balancer was doing the redirection from http to https. I disabled it and now I can access the API via http.
Regular Member
Posts: 338
Registered: ‎11-18-2009
Kudos: 97
Solutions: 10

Re: API empty answer after server IP change

@jbaptiste,

 

Just FYI, you can safely disable SSL on your cURL requests, if they are going to "localhost".  There will never be a valid certificate for localhost and since communication will never leave the server (or in this case, even the container) you can disable the verification safely.  Obviously, never make calls using the same cURL instance to the outside world with re-enabling it.

 

@UBNT-Ondra,

 

Something a bit more bizzare, I also noticed that there are some issues with the CA Bundles, but only when using cURL from the UCRM Docker Container.  As an example, if I make a request using the exact same cURL request from another PHP server (an even from the UCRM host, there are no issues, but I have to include updated CA Bundles when using it with Plugins if I want to use the FQDN.

 

Is it possible that cURL is outdated on the docker image?

 

Here is some of the code I now use in my own SDK to alleviate the issues and keep things secure.

 

// IF the Base URL is using HTTPS AND is requesting localhost...
if(Strings::startsWith(self::$_baseUrl, "https://localhost"))
{
    // THEN disable host/peer certificate checks, as localhost cannot resolve to a valid name for SSL!
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
}
else
{
    // OTHERWISE, enable host/peer certificate checks, this is fine for all HTTP URLs (including localhost)!
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2); // DEFAULT
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1); // DEFAULT

// Downloaded from: https://curl.haxx.se/docs/caextract.html curl_setopt($curl, CURLOPT_CAINFO, __DIR__ . "/Certificates/cacert-2018-10-17.pem"); curl_setopt($curl, CURLOPT_CAPATH, __DIR__ . "/Certificates/cacert-2018-10-17.pem"); }

Of course, I now ONLY use "https(s)://localhost/api/v1.0/" for ALL internal calls.

 

Food for thought.

Ubiquiti Employee
Posts: 1,476
Registered: ‎03-21-2016
Kudos: 244
Solutions: 161

Re: API empty answer after server IP change

@rspaeth All packages are updated with each UCRM release. But there might be an issue if the CA bundles are not updated periodically when the UCRM is just running. We'll check, thank you.

Regular Member
Posts: 338
Registered: ‎11-18-2009
Kudos: 97
Solutions: 10

Re: API empty answer after server IP change

@UBNT-Ondra,

 

Strange...

 

Even my CA Bundles are a bit dated, October of 2018, if I remember correctly.  I would think my UCRM has been through at least 4-5 updates since then.

 

I have only tested this issue against UCRMs with Let's Encrypt certificates, so maybe the issue is related.

Ubiquiti Employee
Posts: 36
Registered: ‎07-21-2016
Kudos: 4
Solutions: 2

Re: API empty answer after server IP change

I think I found the problem. The ca-certificates package was not correctly updated so even the latest ucrm used a version from november 2017. This should be fixed in 2.15.1.
Regular Member
Posts: 338
Registered: ‎11-18-2009
Kudos: 97
Solutions: 10

Re: API empty answer after server IP change

@UBNT-Jachym,

 

Thank you!

Highlighted
Ubiquiti Employee
Posts: 36
Registered: ‎07-21-2016
Kudos: 4
Solutions: 2

Re: API empty answer after server IP change

[ Edited ]

Turns out simply updating the package is not possible because of some conflicts so I'll need to find another way. Can you give me some code that will fail without the new certificates? Like a domain where ssl verification won't work without them? I need a way to test my solution when I find one. Also if you have a recommendation where I can get up-to-date certificates, please share.

Ubiquiti Employee
Posts: 36
Registered: ‎07-21-2016
Kudos: 4
Solutions: 2

Re: API empty answer after server IP change

Should be now solved for 2.15.1.