Troubleshooting Webhook Connection Problems

Last modified October 5, 2018

This article applies to Contextual Commerce. (Looking for Classic Commerce documentation?)

When a webhook event fails to post successfully, FastSpring will automatically retry sending the event every 10 minutes until we receive a response of "200" or "202", or until 24 hours have passed since the first attempt. Every 24 hours, If there have been any failed / unprocessed events that have not yet been resolved, FastSpring will email the alert email address configured for your Store to notify you of the problem.

This article provides information on troubleshooting posting errors that result from connection problems.

Viewing Recent Server Webhook Activity

To review recent activity, including unprocessed / unsuccessful events, log in to the Dashboard and select the Integrations menu and the Webhooks tab, and then click RECENT ACTIVITY for one of your webhook configurations.

Example of a webhook configuration with the RECENT ACTIVITY command highlighted

By default, the Recent Server Webhook Activity dialog will show the 250 most recent events, starting with the most recent first. Both processed and unprocessed events will be included, but you can click the drop-down selector in the FILTER field and choose to display only processed or only unprocessed events.

Example of the Recent Server Webhook Activity dialog

Any unprocessed events (i.e., events for which FastSpring did not receive a "200" or "202" response) will be shown with a red band indicating the date and time (UTC) and the event type, as in the illustration below.

Example of an unprocessed event in the Recent Server Webhook Events dialog

In some cases, a second text area will be shown below the event payload for unprocessed events. The second text area may contain information about why the event was not processed successfully (e.g. the response received from the specified endpoint).


Connection Problems

If the error info section of an unprocessed event includes an error such as {“message”:“Received fatal alert: handshake_failure”} or an HTTP 403 error code, this may indicate that FastSpring was unable to establish a secure connection to your server (i.e., the server specified in your webhook URL).

TLS 1.2

In the interest of data security, FastSpring requires that all servers targeted with webhook posts must support and use the TLS 1.2 protocol for the connection. If your server does not support TLS 1.2, this may prevent FastSpring from posting webhook events to your server. In that case, consult your network administrator and / or web hosting provider to find out whether or not TLS 1.2 support can be enabled.


Supported Cipher Suites

FastSpring supports 26 different cipher suites for encrypting the data we post via webhooks. However, some TLS 1.2-compatible cipher suites may not be supported. In order for FastSpring to successfully establish a secure connection to your server, both FastSpring and your server must agree on the specific cipher suite to be used. If none of the cipher suites supported by FastSpring match any of the cipher suites supported by your web server, this may prevent FastSpring from posting webhook events to your server.

Listed below are the cipher suites currently supported by FastSpring. To find out which cipher suites are supported by your server, you can consult with your network administrator and / or web hosting provider; your web host may have that information available in an FAQ or knowledge base article. Alternatively, you can use the SSL Labs tester described later in this article.


Cipher Suites Supported by FastSpring
Cipher#  0 : TLS_RSA_WITH_AES_256_CBC_SHA256
Cipher#  1 : TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Cipher#  2 : TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Cipher#  3 : TLS_RSA_WITH_AES_256_CBC_SHA
Cipher#  4 : TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Cipher#  5 : TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Cipher#  6 : TLS_RSA_WITH_AES_128_CBC_SHA256
Cipher#  7 : TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Cipher#  8 : TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Cipher#  9 : TLS_RSA_WITH_AES_128_CBC_SHA
Cipher#  10 : TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Cipher#  11 : TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Cipher#  12 : TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Cipher#  13 : TLS_DH_anon_WITH_AES_256_CBC_SHA256
Cipher#  14 : TLS_DH_anon_WITH_AES_256_CBC_SHA
Cipher#  15 : TLS_DH_anon_WITH_AES_128_CBC_SHA256
Cipher#  16 : TLS_DH_anon_WITH_AES_128_CBC_SHA
Cipher#  17 : SSL_RSA_WITH_DES_CBC_SHA
Cipher#  18 : SSL_DHE_RSA_WITH_DES_CBC_SHA
Cipher#  19 : SSL_DHE_DSS_WITH_DES_CBC_SHA
Cipher#  20 : SSL_DH_anon_WITH_DES_CBC_SHA
Cipher#  21 : TLS_RSA_WITH_NULL_SHA256
Cipher#  22 : SSL_RSA_WITH_NULL_SHA
Cipher#  23 : SSL_RSA_WITH_NULL_MD5
Cipher#  24 : TLS_KRB5_WITH_DES_CBC_SHA
Cipher#  25 : TLS_KRB5_WITH_DES_CBC_MD5


Using the SSL Labs Tester to Identify which Cipher Suites are Supported on Your Server

One way to find out what cipher suites are supported by your server is to use the SSL Labs tester found at https://www.ssllabs.com/ssltest/index.html.

Image of the SSL Labs Server Test tool

In the Hostname field, enter the domain of your webhook URL and then click Submit.  For example, if your webhook URL is https://furiousfalcon.com/api/webhooks.php, you would enter furiousfalcon.com.

The SSL Report takes a few minutes to run.  When it finishes, scroll down to the Configuration section of the report.

Example of the Configuration section of the SSL Labs report

  • Under Protocols, TLS 1.2 must show "Yes" because FastSpring requires that your server support TLS 1.2.
  • Under Cipher Suites, check the list of cipher suites supported in the #TLS 1.2 (suites supported in server-preferred order) section. Compare that list to the list of cipher suites supported by FastSpring, above. At least one of the cipher suites supported by FastSpring must be supported by your server, or else FastSpring may not be able to post webhook events to your server.

If none of the cipher suites match, consult your network administrator or web hosting company; you may be able to switch to a different certificate that will support one or more of the cipher suites supported by FastSpring.  (Note:  In some cases, this may require you to use a hosting provider's paid hosting service rather than a free offering.)

Also, if you are able to create your own security certificate, the certificate creation settings may also allow you to choose which cipher suite(s) will be supported.