POST request with outbound

Hi all,

I was trying to integrate other services e.g. DHIS2 with CHT and for that I was thinking about using openHIM. I defined an outbound (after setting mark_for_outbound true) with the url & auth but from the logs of the mediator & platform, it seems like it is performing a GET request. Is there a way to change this to a POST?

Hi @magp18

From what I can tell from the code, the request is already a POST: cht-core/outbound.js at master · medic/cht-core · GitHub

Can you please share logs, or some indication that the request is a GET?
Thanks!

@magp18 - Seconding what @diana mentioned, I found it to be a POST while I was exploring what an OpenHIM integration might look like in our CHIS-Interoperability repo.

Speaking of which, while this code is very nascent (and entirely lacking ;s !?), it may be helpful, along with our recently update documentation, about how to approach an OpenHIM integration.

Let us know how it goes!

Hi @diana,

This is from medic-sentinel (CHT is running on docker). I was assuming it was a GET because of the OpenHIM platform (but seems something went wrong before?)


Now it’s not triggering the Mediator anymore

And the request body was empty somehow. Let me know what other logs are of interest.

Will have a look on this thanks! And sure will gladly update you on the integration with openHIM:)

Hi @magp18

I don’t think CHT would make any request if payload mapping failed. Can you please have a look at your outbound configuration and make sure that it follows the documentation? The error would suggest that the mapping property is not set. .outbound | Community Health Toolkit

1 Like

Yes you are right, I didn’t realize the mapping property was required, thought I could send the raw data like this directly.

After adding this property I am getting a failed to push error, certificate has expired. Although my certificates seem to be valid.

The CHT doesn’t do certificate validation. Can you try making a request to your integration server from the server that hosts CHT API and check if the request goes through?

Thanks for the reply @diana and sorry for the late reply. But yes I think you are right, using 5001 works for me (I have a different error - ESOCKETTIMEOUT) but I think that’s related to my openHIM mapping (there might be an error). I am trying to get it right and will let you know. Thanks anyhow

Sorry for reviving this post, but it seems like there is something related to the certificate, unless I am missing something.
I was using 5001 (http) and that was working but changing it back to 5000 (to use https) it still throws me that error “Certificate has expired”.
Doing the same thing with postman or curling from my CHT server works, however doing it from medic-os docker container fails with

server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

I am mapping my privkey to

/srv/settings/medic-core/nginx/private/default.key

and my fullchain.pem to

/srv/settings/medic-core/nginx/private/default.crt

Do I need to have them somewhere else?

Upgrading curl in the container, makes that I am able to curl from inside of the container, so seems to me that there is no firewall or certificate issue but I could be wrong. However it still fails when pushing with the error “certificate expired”.

Seems like this could be related to the ubuntu image used, might be too old (unsure if this is the issue though, but it’s the only thing we can think of right now)

Definitely! Sorry for not getting back in time.
Tagging @hareet or @henok for info about MedicOS SSL errors.

@magp18 - Can you confirm where the “Certificate has expired” error is happening? As I understand it you’re trying to configure CHT with an Outbound push to OpenHIm. So is the CHT reporting that OpenHIE has an invalid certificate? Can you post logs where you see this error so we can get more context? As well, can you confirm the version of CHT you’re on?

Otherwise, to set up a valid certificate on CHT 3.x, you can see the docs here.

Finally if you want to test with fully valid TLS certificates, it can be helpful to use the freely available wildcard ones at Local IP. We even have an automated script to install these for you if you’d like.

The Local IP certificates are for testing and develop ment only - they are insecure by design!

That is happening inside the medic-os container. As soon as I updated curl I was not having it anymore (curling inside of the container) but I am still getting it after the push is triggered by submitting a form and checking the sentinel logs.
From the sentinel logs I have this:


I am not sure what other logs I can show you, they seem to not be related but if you now anything that would help, let me know and I will post it.
I have my certs created with certbot mapped to the right path as mentioned in the first link you sent, are they not fully valid TLS certificates?

Do you think we can take out nodejs & nginx in different containers and not in medic-os ? then we could have the latest version and perhaps could help ?

@magp18 - thank you so much for that screenshot! The Error: certificate has expired is super helpful to see.

I set up a dev instance and set two outbound pushes, one to a known expired cert (https://expired.badssl.com/) and one to know NOT expired cert (https://medic.org). I thought the first would fail and second would succeed. They BOTH failed :disappointed: . This is a potential bug, so I’ve opened a ticket for us to research this.

When I get some more time I’ll see if this persists in CHT 4.

Speaking of CHT 4 - we recommend upgrading! The new CHT Docker Helper is great (I helped write it ;).

Cheers,
-adj

Following up to say I confirmed this problem is not present in CHT 4.0.1.

Following up again to note that a formal, permanent fix has just been merged to master. The patch script is here and the background ticket is here.

We may publish more information about this patch, but I wanted to keep this thread up to date!

1 Like