Wednesday, December 5, 2012

SugarCRM Troubleshooting: SOAP API Login Problems

One of the oddest technical issues that I have run into dates back a couple of years. In short, attempts to login to the SugarCRM SOAP API failed, but only if the connecting client was a .NET application. That is to say, a PHP script attempting to do the same worked flawlessly.

There was an obvious disconnect there, as the SOAP API should fail for all clients, not just .NET clients. The eventual solution left me puzzled, as it too did not seem to make much sense. As a result, a true solution to the problem seemed to evade me.

By chance, a very similar problem recently found its way to my desk. However, this time around, additional conditions within the environment provided other clues not readily obvious the first time I encountered the problem. 

Not unlike the previous scenario, attempting to execute the login() method of the SOAP API via PHP succeed, i.e. it returned a valid session, but doing the same via .NET failed, returning a SOAP error. 

With the new clues in hand, a definitive solution and explanation finally emerged.

As it turns out, the commonality between the two systems is that both were using self signed SSL certificates. Were we to attempt to access said SugarCRM instance via our browser, it would give us a warning similar to the following image:

The image will vary depending on the browser you use, but the message it is trying to communicate to us is the same: the SSL certificate for the site cannot be trusted.

While our browser permits us to continue on by means of a click, .NET does not. Herein is the root cause of the login() problem for the SugarCRM SOAP API.

To solve the problem, one of two solutions must be applied:

1. Replace the self signed certificate with one validated by a Certificate Authority


2. Add the self signed certificate to the list of trusted certificates on the system where the .NET code attempting to connect to SugarCRM is being executed.

We will not cover the first solution, as it is a bit beyond the scope of this blog, but let us dive into the second solution. 

To begin with, we need the certificate so we can import it into our list of trusted certificates.

To obtain the certificate, while at the certificate/site warning page in your browser, perform the following (instructions assume you are using Internet Explorer, will vary for other browsers):

1. Click Continue to this website (not recommended)

2. Click Certificate Error immediately to the right of the address field.

3. Select View certificates

4. Choose the Details tab and click Copy to file. The Certificate Export Wizard should appear.

5. Proceed through the Certificate Export Wizard with the default settings. Make sure to take note of the location where you store the certificate file as you will need the file for the remainder of the solution. 

Once you have the certificate, you need to add it as a trusted certificate. To add the self signed certificate as a Trusted Root Certification Authority:

1. Click Start > Run, type mmc and hit Enter

2. Select File > Add/Remove Snap-in and click Add

3. Choose Certificates and click Add

4. Select Computer account and click Next, then Finish

5. Click Close to return to the Add/Remove Snap-in window and click OK

6. Expand Certificates and select the Trusted Root Certification Authorities folder

7. Right click over Trusted Root Certification Authorities and choose All Tasks > Import... The Certificate Import Wizard should appear.

8. Proceed through the wizard with the default settings and make sure to select the certificate file you exported via the instructions earlier in this post

That should do it. Now that the certificate is trusted, your .NET code should not have a problem executing the login() or other SOAP methods in the SugarCRM API.

No comments:

Post a Comment

Your comments, feedback and suggestions are welcome, but please refrain from using offensive language and/or berating others. Thank you in advance.