Hello!
We are experiencing a higher incidence rate of failed calls to one of our third party API providers, Docusign, from Retool. An example message that we get follows this format:
{"status":400,"message":"request to https://realestate.docusign.com/mobileapi?Method=GetRoomProperties&SessionId=**** failed, reason: unable to verify the first certificate", error":true,"source":"resource"}
This message only appears intermittently and after several subsequent attempts to invoke the API call again, succeeds. We make identical calls to the same endpoints through other platforms and are not able to recreate the issue unless we issue the request through Retool.
Are their any best practices or recommendations for dealing with this type of certificate issue from within the Retool environment? Anecdotally our users have indicated that this is experienced more frequently in late afternoon (East Coast Time zone) and has occurred more frequently over the past few weeks.
Any suggestions you might have would be very much appreciated, thanks so much!
I can put the URL in my browser and get a response; however, using Postman, I have the same issue. Through postman, I'm able to turn off SSL validation and the request works.
Is there any way to do the equivalent in my retool app?
i have same issue the response when calling API is : reason: ","error":true,"queryExecutionMetadata":{"estimatedResponseSizeBytes":145,"resourceTimeTakenMs":22.
is the any way to resolve this problem ?
Hi Ben, If I have 'SSL Certificate Verification' ON, the call fails just like you are seeing. If I disable 'SSL Certificate Verification', the call succeeds. If there would be away from w/in my retool app to turn off SSL Certificate Verification (like they offer in Postman), I'd be happy.
Unfortunately, Retool's cloud offering doesn't allow for disabling SSL verification or using custom CA certificates for REST resource types (there is an open feature request for the latter, however). Our self-hosted offering does allow you to include custom CA certificates (see documentation here).
{
"message": "request to https://testdtm.joinyourbit.com/auth/realms/JoinYourBit/protocol/openid-connect/token failed, reason: unable to verify the first certificate",
"stack": "MicroserviceError: request to https://testdtm.joinyourbit.com/auth/realms/JoinYourBit/protocol/openid-connect/token failed, reason: unable to verify the first certificate\n at Object.runQuery (/retool/backend/transpiled/server/modules/dbconnector/dbconnClient.js:413:11)\n at runMicrotasks ()\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at async handleHttpRequestStepWithExposedEnvReplacements (/retool/backend/transpiled/server/controllers/resourceAuth.js:167:20)\n at async processRefreshAuthStep (/retool/backend/transpiled/server/controllers/resourceAuth.js:387:36)\n at async /retool/backend/transpiled/server/controllers/resourceAuth.js:421:27"
}
Hi @raffru Thanks for checking in! Hmm, is this something you're able to access outside of Retool (in Postman, for example)? If so, can you provide a screenshot of the configuration there?
Additionally, can we see the full resource setup (including the headers & any authentication)?
"message": "request to https://testdtm.joinyourbit.com/auth/realms/JoinYourBit/protocol/openid-connect/token failed, reason: unable to verify the first certificate",
Hi Tess,
we don't need first step (authentication) but only an API call to get a token (username and password are already in the header).
So I removed the first step and access_token header variable but the error is the same.
It sounds like the main issue is that the Skip CA cert setting isn't going to be applied to the auth section. If you create a new Retool resource where the Base URL is either https://testdtm.joinyourbit.com/ or https://testdtm.joinyourbit.com/auth/realms/JoinYourBit/protocol/openid-connect/token and has no authentication set up, you'll see that you get a failed, reason: unable to verify the first certificate when you try to query the resource in an app. If you check on Skip CA Certificate verification, you stop seeing the cert errors when querying the resource.
Separately from the cert limitation, is the access token definition. As a general structure, if you want to use a variable token in the resource headers, this should be called and defined in the auth set up, rather than the refresh set up.