Thanks a lot for the help Jim. I'm responded to your questions inline in RED (assuming your mail client support colors) prefaced with [FROSS].
Your information is really helpful Jim and I appreciate the time you took to respond. Given I can download the Chase information successfully, it seems like AQBanking is working.....but not sure why CITI works on Ubuntu but not Windows. I could only test v3.2 on Ubuntu, so I think I'll downgrade my Windows version to v3.2 and see if that works. It's a bit more of an "apples to apples" comparison. Michael On Sun, Oct 28, 2018 at 2:22 AM Jim Maki via gnucash-user < gnucash-user@gnucash.org> wrote: > > Three areas of comment to some potential problem areas ... > > > > ===========> Windows certificate bundle is OK > > To verify the Windows certificate file is not an issue I copied the the > following certificate bundle from Windows to Ubuntu: > C:\Program Files (x86)\gnucash\share\gwenhywfar\ca-bundle.crt > > On Ubuntu, Citi's cert was validated using the Windows cert bundle via > the following command: > curl ... \ > --cacert ca-bundle.crt --capath . \ > https://www.accountonline.com/cards/svc/CitiOfxManager.do > > So the Windows GnuCash certificate bundle is not the issue. > > > ===========> Error on gnutls_bye: -24 might be some password issue > > Looking at: > > http://mcs.une.edu.au/doc/manual/gnutls.html > > the theme for error code -24 (GNUTLS_E_DECRYPTION_FAILED) was about > passwords, either no password, password not in ASCII, wrong, ... . This > is a certificate password vs your password which is passed in the OFX > XML and not used in the connection setup. > > > > ===========> Comparing your vs my system output - where does it differ? > > > Can you compare your system with the following from my Windows 10? > > On a powershell terminal session see what's the default text encoding > via "[System.Text.Encoding]::Default": > > PS===> [System.Text.Encoding]::Default > > IsSingleByte : True > BodyName : iso-8859-1 > EncodingName : Western European (Windows) > HeaderName : Windows-1252 > WebName : Windows-1252 > WindowsCodePage : 1252 > IsBrowserDisplay : True > IsBrowserSave : True > IsMailNewsDisplay : True > IsMailNewsSave : True > EncoderFallback : System.Text.InternalEncoderBestFitFallback > DecoderFallback : System.Text.InternalDecoderBestFitFallback > IsReadOnly : True > CodePage : 1252 > > [FROSS] My output matches yours. > > On a DOS terminal session get the OS version via "ver": > > ===> ver > Microsoft Windows [Version 10.0.17134.376] > [FROSS] Mine seem seems to be a bit of an older build: Microsoft Windows [Version 10.0.17134.345] > > On the same DOS terminal see the AqBanking version: > > ===> cd "C:\Program Files (x86)\gnucash\bin" > ===> aqbanking-cli.exe versions > 3:2018/10/27 > 21-25-19:gwen(5224):C:/gcdev64/gnucash/releases/src/gwenhywfar-4.20.0/src/base/i18n.c: > > 120: No translation found for WIN32 locale [English_United States.1252] > Versions: > AqBanking-CLI: 5.7.8 > Gwenhywfar : 4.20.0.0 > AqBanking : 5.7.8.0 > [FROSS] I have the same version as you > > AqBanking version 5.7.8 looks like the latest: > https://www.aquamaniac.de/sites/download/packages.php > > [FROSS] I looked earlier as well. Looks like there is a 5.9.9 beta, but not a stable version. https://www.aquamaniac.de/rdm/projects/aqbanking/files > Run aqbanking-cli to show your accounts (note the locale error message): > > ===> REM Show the account to work with > ===> aqbanking-cli listaccs > 3:2018/10/27 > 20-20-43:gwen(8124):C:/gcdev64/gnucash/releases/src/gwenhywfar-4.20.0/src/base/i18n.c: > > 120: No translation found for WIN32 locale [English_United States.1252] > Account www.accountonline.com YOURCCACCOUNT www.accountonline.com > Citigroup [FROSS] This shows a Chase credit card, but not Citibank account. GNUCash shows the user defined, but I don't think I ever successfully connected to my bank. I get the "Error on gnutls_bye: -24" error when I first attempt to contact the bank before I ever even enter in my account password. When setting up a new user, but before "Retrieve Accounts" the setup tool reaches out to the bank. I get the following output: TITLE: Setting Up OFX DirectConnect User ----------------------------------------------------------- 10:56:12 Retrieving SSL certificate 10:56:12 Connecting to server... 10:56:12 Using GnuTLS default ciphers. 10:56:12 TLS: SSL-Ciphers negotiated: TLS1.2:ECDHE-RSA-AES-256-GCM:AEAD 10:56:12 Signer not found 10:56:12 Certificate is not trusted 10:57:21 Connected. 10:57:21 Error on gnutls_bye: -24 (Decryption has failed.) 10:57:21 Disconnected. 10:57:21 Connection ok, certificate probably received 10:57:21 Operation finished, you can now close this window. The attempt times out (I have to wait 30 seconds or so) and then I accept the certificate. So it seems the account never gets configured into AQBanking...that's a hint I think. AQBanking does not record the account. > > Make a request that will show the details of the cert request (password > required). > I'd be curious as to how your output differs: > > ===> aqbanking-cli request --balance > 3:2018/10/27 > 20-14-37:gwen(10536):C:/gcdev64/gnucash/releases/src/gwenhywfar-4.20.0/src/base/i18n.c: > > 120: No translation found for WIN32 locale [English_United States.1252] > ===== Executing Jobs ===== > AqBanking v5.7.8.0stable > Sending jobs to the bank(s) > Locking user YOURUSERID > ===== Enter Password ===== > Please enter the password for user YOURUSERID > Input: YOURPASSWORD > 3:2018/10/27 > 20-14-44:(null)(10536):C:/gcdev64/gnucash/releases/src/aqbanking-5.7.8/src/plugins/backends/aqofxconnect/plugin/network.c: > > 82: Saving response in "/tmp/ofx.log" ... > Saving communication log to /tmp/ofx.log > Sending request... > Connecting to server... > Resolving hostname "www.accountonline.com" ... > IP address is "104.65.4.169" > Connecting to "www.accountonline.com" > Connected to "www.accountonline.com" > Using GnuTLS default ciphers. > TLS: SSL-Ciphers negotiated: TLS1.2:ECDHE-RSA-AES-256-GCM:AEAD > Signer not found > Certificate is not trusted > 5:2018/10/27 > 20-14-44:aqbanking(10536):C:/gcdev64/gnucash/releases/src/aqbanking-5.7.8/src/libs/aqbanking/gui/abgui.c: > > 165: Automatically accepting certificate > [D0:7D:90:E7:63:F0:59:E0:CE:D2:62:82:61:4A:68:68] > Connected. > Sending message... > Message sent. > Waiting for response... > Receiving response... > HTTP-Status: 200 (OK) > Response received. > Disconnecting from server... > Disconnected. > Parsing response... > 3:2018/10/27 > 20-14-45:(null)(10536):C:/gcdev64/gnucash/releases/src/aqbanking-5.7.8/src/plugins/backends/aqofxconnect/plugin/network.c: > > 171: Saving response in "/tmp/ofx.log" ... > Parsing response > Status for signon request: Success (Code 0, severity "INFO") > The server successfully processed the request. > Status for transaction statement request: Success (Code 0, severity > "INFO") > The server successfully processed the request. > Unlocking user YOURUSERID > Executing Jobs: 1 of 1 > Postprocessing jobs > Job Get Balance: finished > Resetting provider queues > Executing Jobs: Finished. > ... > > [FROSS] Because I can't try this with a citibank account as none is present in AQBanking, I did try this with my Chase account. C:\Program Files (x86)\gnucash\bin>aqbanking-cli.exe request --balance 3:2018/10/28 10-58-58:gwen(22020):C:/gcdev64/gnucash/releases/src/gwenhywfar-4.20.0/src/base/i18n.c: 120: No translation found for WIN32 locale [English_United States.1252] ===== Executing Jobs ===== AqBanking v5.7.8.0stable Sending jobs to the bank(s) Locking user <Account ID> ===== Enter Password ===== Please enter the password for user <Account ID> Input: <Account Password> ****************************** Sending request... Connecting to server... Resolving hostname "ofx.chase.com" ... IP address is "159.53.44.44" Connecting to "ofx.chase.com" Connected to "ofx.chase.com" Using GnuTLS default ciphers. TLS: SSL-Ciphers negotiated: TLS1.2:ECDHE-RSA-AES-128-GCM:AEAD Signer not found Certificate is not trusted Accquiring lock: Started. Accquiring lock: 2812 of 60000 <......> Accquiring lock: 59984 of 60000 Accquiring lock: 59999 of 60000 Accquiring lock: Finished. 3:2018/10/28 11-04-37:gwen(39044):C:/gcdev64/gnucash/releases/src/gwenhywfar-4.20.0/plugins/configmgr/dir/c fgdir.c: 469: Could not lock group [shared/certs]: 2 3:2018/10/28 11-04-37:aqbanking(39044):C:/gcdev64/gnucash/releases/src/aqbanking-5.7.8/src/libs/aqbanking/b anking_cfg.c: 303: Could not lock shared group [certs] (-109) 4:2018/10/28 11-04-37:aqbanking(39044):C:/gcdev64/gnucash/releases/src/aqbanking-5.7.8/src/libs/aqbanking/g ui/abgui.c: 147: Could not lock certs db, asking user (-109) ===== Certificate Received ===== 3:2018/10/28 11-04-37:gwen(39044):C:/gcdev64/gnucash/releases/src/gwenhywfar-4.20.0/src/base/buffer.c: 527 : Pointer outside buffer size (257 bytes) Assertion failed! Program: C:\Program Files (x86)\gnucash\bin\aqbanking-cli.exe File: C:/gcdev64/gnucash/releases/src/gwenhywfar-4.20.0/src/base/memory.c, Line 426 Expression: p I don't see the "Error on gnutls_bye: -24" error here, but I frankly don't understand the errors at the end. This Chase account can download successfully in GNUCash. At some point yours will differ and that may give a hint. I assume your > AqBanking users/accounts is similar to the one I provided previously. > > Jim > > > > > > _______________________________________________ > gnucash-user mailing list > gnucash-user@gnucash.org > To update your subscription preferences or to unsubscribe: > https://lists.gnucash.org/mailman/listinfo/gnucash-user > If you are using Nabble or Gmane, please see > https://wiki.gnucash.org/wiki/Mailing_Lists for more information. > ----- > Please remember to CC this list on all your replies. > You can do this by using Reply-To-List or Reply-All. _______________________________________________ gnucash-user mailing list gnucash-user@gnucash.org To update your subscription preferences or to unsubscribe: https://lists.gnucash.org/mailman/listinfo/gnucash-user If you are using Nabble or Gmane, please see https://wiki.gnucash.org/wiki/Mailing_Lists for more information. ----- Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
