Invalid Signature Webhook

@demian85 if it happened suddenly then that sounds like a Stripe issue. I’d recommend you reach out to them.

Make sure your webhook secret didn’t expire.

The plugin wouldn’t just stop working.

Hi @mrclayton

After a long exchange with Stripe, they keep blaming the woocommerce plugin that is causing the issue from above. What is going on:

There are different domains in the stripe account with each a different webhook. Somehow it tries to communicate with a transaction made on domain X, by verifying it on domain Y, it then causes an obvious 401 error. It’s mixing the transactions between the domains.

Have you ever heard of this issue before and what could be the cause?

With thanks,
Demian

Hi @demian85,

Stripe does not recommend that you have multiple websites for the same Stripe account. That is because Stripe sends the event to each webhook that you have configured. To avoid the issue you’re having where a webhook for domain A is going to domain B, you should create a new Stripe account for each website that you operate.

Login to stripe.com and in the upper left hand corner, click the New account button. That will allow you to setup an account for each domain.

Kind Regards,

Hi @mrclayton

This is strange because we have since February this set up, and only since 3 weeks the webhooks showing problems. The first indication was on July 28, this was after your release of 3.3.6. A new account is not a solution, we are 1 company with 8 webshops.

This is strange because we have since February this set up, and only since 3 weeks the webhooks showing problems.

When something stops working suddenly it’s usually because something on your site or server has changed. The Stripe plugin’s webhook code has not been changed in for many releases so it wouldn’t just stop working as a result of the plugin. Is the webhook failing on the site domain that matches to the webhook domain? Did you not have the other 7 webhooks configured until recently?

we are 1 company with 8 webshops

Here is how webhooks work: Anytime there is a configured event that is triggered, Stripe will send it to each webhook that is configured for an account. If you have one Stripe account and 8 webhooks configured then Stripe will send the event to all 8 url’s. That event is unique to just 1 of the 8 domains, but if it’s sent to all 8 then 7 of the 8 will fail because that webhook signature doesn’t match.

A new account is not a solution, we are 1 company with 8 webshops.

That is the solution recommended by Stripe. Stripe recommends you have one account per webshop. If you aren’t willing to follow Stripe’s recommendation then these failures will continue since Stripe’s webhooks were not designed to be used this way.

The webhook payload does not contain any identifying info like a domain name so it’s not possible to write code that ignores the webhook if the domain doesn’t match.

Kind Regards,

We have now moved one domain to its own Stripe account, unfortunately same 401 error arises, as mentioned in my initial message.

Account acct_1JP9hwGJmcgHE5UY with event evt_3JPAcwGJmcgHE5UY1RrFdUic

@demian85 Check that your webhook secret is valid. I recommend you generate a new webhook secret and copy and paste that value into the plugin settings.

This is not a plugin bug. The webhook functionality works as long as the webhooks is configured properly.

Kind Regards,

Hi @mrclayton

Obviously with a new account I had to generate a new webhook and added this to the plugin settings.

Could you inform me what the client_secret in the logs represent? With what can I match this number?

• This reply was modified 3 years, 3 months ago by Demian.

Hi @demian85,

The message INFO Invalid signature received. Verify that your webhook secret is correct. happens when the validation of the webhook’s signature fails. You can see that in the following line of code:

https://docs.paymentplugins.com/wc-stripe/api/source-class-WC_Stripe_Controller_Webhook.html#50

That error message can only happen if the webhook signature that is entered in the plugin settings is different than the webhook signature used to sign the Webhook.

As an example, if I create a webhook for my test website, then copy and paste that secret into the Stripe plugin settings it works perfectly without any issues. So it looks like somewhere there is a flaw in how you’re setting it up. Here is a link to our webhook config guide:

https://docs.paymentplugins.com/wc-stripe/config/#/webhooks

@demian85

Could you inform me what the client_secret in the logs represent? With what can I match this number?

The client secret is used by the Stripe JS SDK to make secure requests to the Stripe API client side. It serves no purpose in the backend.

Hi @mrclayton

I have used this doc to set up the webhook. I checked even with DevTool to see if the value for the input field is matching the webhook; and it matches.

But I have discovered something else. I use the Click to Connect options in the API settings to connect it automatically with the Stripe account. It saves the publishable and live keys. When I look at the auto saved pk_test_ key, this one doesn’t match the keys from Stripe. So I think something is not right here with the Click to Connect option.

@demian85,

But I have discovered something else. I use the Click to Connect options in the API settings to connect it automatically with the Stripe account. It saves the publishable and live keys. When I look at the auto saved pk_test_ key, this one doesn’t match the keys from Stripe. So I think something is not right here with the Click to Connect option.

They won’t match. The keys generated from the Connect process are different from the keys you see in your dashboard. The connect keys will never be shown in the stripe.com dashboard. That’s not the issue here.

Okay, I am giving up on what is wrong here. I did a test webhook, it gives the same error. Any chance someone can look into the backend?

@demian85 please reach out to me via the Stripe plugin’s help button.

For anyone else who is facing a similar problem. The end conclusion from above was an off timestamp from the server. The timestamp in php.ini was 5 minutes off, Stripe does not accept this and throws a 401 invalid webhook:

By correcting the php.ini timestamp the problem was resolved.

@mrclayton you could set up a check point for this in the API settings: if timestamp differs, it throws a warning that the time isn’t linear.