PostalMethods The form token is invalid / -1

[katycomputer]

I go into list of clients, select an invoice, select DeliveryviaPostalMethods

The first time I did this, I got a "The form token is invalid", now I get a -1

Any ideas?

 

BTW: If we can get this working, this is another really cool Blesta feature!!! 

[Jono]

What version of Blesta are you running?  There was I similar issue reported here that was resolved in v4.0.

[katycomputer]

I am on 4.1.2

[Paul]

1 hour ago, katycomputer said:

I am on 4.1.2

If 4.1.2, the issue mentioned in the other thread should have been resolved. There is another issue with PostalMethods at the moment.. they do not support modern TLS via their API. I have reached out to them, and they are looking into upgrading their API server to support modern TLS. Therefore, your server must be able to negotiate older SSLv3 or TLS 1.0. Here is what is currently supported:

Quote

# nmap --script ssl-enum-ciphers -p 443 api.postalmethods.c                                                                            om

Starting Nmap 5.51 ( http://nmap.org ) at 2017-11-06 15:32 PST
Nmap scan report for api.postalmethods.com (74.124.23.22)
Host is up (0.038s latency).
rDNS record for 74.124.23.22: cust-74-124-23-22.dllstx01.corexchange.com
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3
|     Ciphers (2)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|       uncompressed
|   TLSv1.0
|     Ciphers (2)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_RC4_128_SHA
|     Compressors (1)
|_      uncompressed

Nmap done: 1 IP address (1 host up) scanned in 37.82 seconds
 

Hopefully they will begin supporting TLS 1.1, 1.2 soon.

[katycomputer]

Thank you . I reached out to my sales rep. Hopefully, the'll resolve the issue.

[Paul]

19 hours ago, katycomputer said:

Thank you . I reached out to my sales rep. Hopefully, the'll resolve the issue.

Actually I think we have a temporary solution for you. Please see https://docs.blesta.com/pages/viewpage.action?pageId=1540327#Company>Billing&Payment-PostalMethods specifically, the yellow box. You may be able to tweak your code to get it to negotiate the older ciphers.

[katycomputer]

Now, I'm getting  -3003

Did I mis-key something?

[Paul]

Your modification looks right to me. I'm not sure what -3003 means, it's not listed as an error code for PHP CURL. It may be that your server is unable to negotiate SSLv3 at all.

Try changing the value 3 to 4 instead, per the chart  below. They support SSLv3 and TLS 1.0, so an option of 4 should specify TLS 1.0. Maybe that'll work instead. 

 

Quote

CURL_SSLVERSION_DEFAULT (0)
CURL_SSLVERSION_TLSv1 (1)
CURL_SSLVERSION_SSLv2 (2)
CURL_SSLVERSION_SSLv3 (3)
CURL_SSLVERSION_TLSv1_0 (4)
CURL_SSLVERSION_TLSv1_1 (5)
CURL_SSLVERSION_TLSv1_2 (6).

 

[katycomputer]

I changed it to 4 - same result, sounds like we'll need to wait for PostalMethods to update their server, perhaps we can use their email to postal gateway:

[Jono]

2 hours ago, katycomputer said:

I changed it to 4 - same result, sounds like we'll need to wait for PostalMethods to update their server, perhaps we can use their email to postal gateway:

Actually, this is a separate error code returned by the api.  You can see the various error codes here http://www.postalmethods.com/statuscodes.  This one in particular has the description "Not Authenticated - API key does not exist or Username does not exist or username and password do not match."  I think you should double check your postal methods api key in blesta at /admin/settings/company/billing/deliverymethods/.

[katycomputer]

Good call Jono. Copy & paste appended a space to my API key.

I removed the space & all is good.

[katycomputer]

Postal methods has updated their security. I sent a test invoice via snail mail.