We have several applications that use REST API to retrieve data out of Epicor. All has been fine until our IT department tried to add some certificates to our server for SSO. Epicor started throwing errors so they took them out. Epicor is running ok (at least it seems that way) but now we are getting Connection Reset errors when we try to run the code that uses the REST API.
Does anyone have any ideas what could cause that?
1 Like
If you were using self-signed certificates and then got “real” certificates and the Fully Qualified Domain Name is different, then the new cert will fail if your code is calling https://server/instance instead of https://server.domain.com/instance.
Just a thought.
1 Like
I think I understand what you are saying. I was just using the first example. In Postman I tried the version with the domain but I am getting the same error.
Show your work, please. 
No error code? We can’t help you.
Here is my code in VBA. I have tried using https://tpa1-eas01.asi.com/EpicorERP/api/v1/BaqSvc/ASI_CDRL_Login/ which is the one with the domain but I get the same error. The status code is 12031 which is connection reset. I also have a link on my browser for the Epicor Rest API Help page but that gives me the error also.
Set objRequest = CreateObject("MSXML2.XMLHTTP")
blnAsync = True
strUrl = "https://tpa1-eas01/EpicorERP/api/v1/BaqSvc/ASI_CDRL_Login/"
With objRequest
.Open "GET", strUrl, blnAsync
.setRequestHeader "Content-Type", "application/json"
.setRequestHeader "Accept", "application/json"
.setRequestHeader "Authorization", "Basic " & EncodeBase64()
.send
'spin wheels whilst waiting for response
While objRequest.ReadyState <> 4
DoEvents
Wend
If .Status <> 401 Then
isAuthorized = True
Else
isAuthorized = False
End If
strResponse = .responseText
End With
So I would ask IT, what is the domain on the new certificate for?
"https://tpa1-eas01/EpicorERP/api/v1/BaqSvc/ASI_CDRL_Login/"
tpa1-eas01 has no domain on it, and the connection will indeed reset. Once they tell you, add that to your StrUrl AND when testing in Postman.
Postman has a setting that ignores certificate errors. If you change that, you will get the error in Postman as well. There are many posts here on the forum discussing this very issue.
I did try the domain added into the string but I still get the same error. I tried in Postman also, same thing. The Postman setting for SSL certificate validation is off.
I’m assuming you rebooted it?
What happens if you just go to:
https://tpa1-eas01.domain.com in a browser? Do you get a certificate error like this?
If you click on the Not Secure (assuming Edge, but Chrome has something similar)
and then the “Your connection to this site isn’t secure” line, you will see this:
Click on the little certificate icon in the upper-right hand side:
Does the Common Name (CN) match what you are entering in the URL and Postman?
2 Likes
We still need to know in case it’s somehow still in there, but he did say:
We tried rebooting with no change. I have tried the domain URL but I still get the connection reset error:
One thing I noticed is that where I thought the api directory should be isn’t there. I mean when I go to the app server and go to Epicor\Websites\EpicorERP I would have expected the api directory to be there looking at the URL but it isn’t there. We did a restore from before the certs were applied (to a different space) to look at the directory structure they aren’t there either. The web.config files look the same too. There is an Epicor-EDD directory there that appears to contain some REST stuff but not the api directory.
Our last resort will be to restore the server from a backup before the certs were applied. The certs didn’t work for the SSO anyway so it won’t hurt to go back.
1 Like
Need more info Jeanne. Let’s start with your current version of Epicor and Windows. By SSO, do you mean Windows AD or Entra ID? You haven’t mentioned what common name the cert has or had.
Also, in ASP.Net programs, you won’t see files like a traditional web site. IIS is executing .NET code usually zipped up into a few files.
Certificate management is first a Windows issue. If it doesn’t work there, it won’t work in Kinetic/Epicor. Epicor is running on IIS. In the past, Epicor created self-signed certs to simplify the process, but even they don’t recommend using them in the Installation Guide. Epicor is runninig on that service, so it has to be working first. Other integrations will need it too, eventually, so it’s useful to slay this dragon earlier than later.