I’m trying to make a call from my localhost to the api, this returns an SSL certificate error.
So I tried installing a self-signed SSL certificate on Windows but turns out that’s a lot harder than you’d think (why can’t I use Linux? ).
Is there anyway I can use the api without an ssl or is it 100% needed? Is there an alternative url for non-ssl sites? I tried the api but http instead of https but that times out (so I’m guessing no)
Sounds like you just need certificates which can validate the RCA. Under Windows I have experienced some certificate issues around this. Still not quite sure why this is such a pain… Anyway I’d start with the thread mentioned e.g.
For what it’s worth: I can access the API (via https) using VBA in Microsoft Access, on Windows 10. I have not installed any certificates. You would only need certificates if the server required you to authenticate that way, and it doesn’t - the API Key is sufficient. My code uses the class: MSXML2.ServerXMLHTTP60, so give that a try. More info here:
As DMW says “You would only need certificates if the server required you to authenticate that way, and it doesn’t”. This is correct as it goes - using CH shouldn’t need any kind of self-signed certificate.
We’re going rather off-topic for a site to do with the CH API but here are a few issues that we’ve encountered where programming tools / environment requires some help to provide / specify where to find root certificates.
There are a lot of different issues which could be causing you trouble (see this error list for example) I don’t know if the following apply to you but here are a couple of issues which cropped up for us. These lead to certificate errors along the line of “certificate verify failed / can’t find / check certificates”. Again this is not exhaustive!
Your tool / language tries to verify the returned certificates by default and you need to specify something to check them against.
Check your URL function / library / command. If it’s relying on something like libcURL, you may need to specify the location of the root certificates. (Beware - some systems require an absolute file path to the certificates). If you need some root certificates you can get a set from e.g. curl (see later for checking you’ve got what you need).
It may be possible to turn off certificate checking so sidestep the issue (e.g. see this article covering PHP) but this is not recommended.
If this step seems OK but you still have issues see the next two points.
Root certificates aren’t where part of the system thinks they are.
On some setups it’s possible to have the web server / SSL library and the programming language library you’re using looking in two different places for certificates. This shouldn’t be a problem if you’re manually specifying the location however. See your server / SSL library / programming language config docs / forums.
The particular root certificate needed is not in your collection. (There’s also a specific issue with the openSSL tool here which has affected us).
How do you know if you’ve got the right one? You can often use a browser to find what certificate the site uses and the authority certifing this (see e.g. this article). Ideally you’d just get the root certificate for the certifying authority, provide that to your SSL tool and all would work. If downloading documents, note that the images are actually provided through Amazon servers which require different root certificates.
However due to the details of the process you can have an issue here. (If you need this next section this introduction certificate chains and this more detailed article about chains might be useful before going further.) As explained in detail at the excellent article (in python context) here, some set-ups of openSSL verify certificates in a different way to e.g. browsers. This means that you need to have a copy of the root certificate at the end of the chain. (To see what this is you can use e.g. the openSSL tool). Currently for CH API / document API this is the Equifax Secure Certificate Authority certificate. This doesn’t seem to be in some standard certificate collections e.g. the curl collection above, so you may need to either provide this specifically when calling your SSL / TLS / https download routine or add it to your certificate collection.