INVALID_ACTIVATION_FINGERPRINT when trying to refresh license activation using Web API

I’m implementing the web API in our product to manage activation and automatic renewal (LexActivator would require us to build with cgo which we are trying to avoid)

I’ve been able to activate and deactivate licenses just fine, but am getting an INVALID_ACTIVATION_FINGERPRINT error when I try to renew with PATCH /v3/activations/{id}

I’m sending the exact same data in the PATCH request as in the POST request which creates the activation, the fingerprints are identical:

carson@archlinux ~/g/s/g/c/orchesto> go run main.go -activate B93413-C6CB8F-4FE284-21D6BA-7A93AA-91E25A
POST /activations:
        "key": "B93413-C6CB8F-4FE284-21D6BA-7A93AA-91E25A",
        "metadata": [],
        "os": "linux",
        "fingerprint": "9b3031cbdbeeaf97f51b647525389def90200008fa1d2cde86752ca839957aac",
        "hostname": "archlinux",
        "appVersion": "0.0.0",
        "userHash": "6557a98c5b070d56c568b3bd8fe978cb1ea14a58940941e1a80da510df2d55dc",
        "productId": "a6ec15de-49a6-4f9a-9625-5121a35167c1"

carson@archlinux ~/g/s/g/c/orchesto> go run main.go -renew
PATCH /activations/9f06dce9-c379-4caf-a34b-871ac7438e37:
        "key": "B93413-C6CB8F-4FE284-21D6BA-7A93AA-91E25A",
        "metadata": [],
        "os": "linux",
        "fingerprint": "9b3031cbdbeeaf97f51b647525389def90200008fa1d2cde86752ca839957aac",
        "hostname": "archlinux",
        "appVersion": "0.0.0",
        "userHash": "6557a98c5b070d56c568b3bd8fe978cb1ea14a58940941e1a80da510df2d55dc",
        "productId": "a6ec15de-49a6-4f9a-9625-5121a35167c1"
main: <ERROR> Could not renew license: API Error INVALID_ACTIVATION_FINGERPRINT (400 Bad Request) Server sync failed!

The activation id in the endpoint is correct, I pull it straight from the activation token and confirm in our dashboard that it’s right (and the rest of the details appear correct as well when printing the stored license data:)

carson@archlinux ~/g/s/g/c/orchesto> go run main.go -license
Product key: B93413-C6CB8F-4FE284-21D6BA-7A93AA-91E25A
        Key:              B93413-C6CB8F-4FE284-21D6BA-7A93AA-91E25A
        ProductID:        a6ec15de-49a6-4f9a-9625-5121a35167c1
        ActivationID:     9f06dce9-c379-4caf-a34b-871ac7438e37
        Type:             node-locked
        Issued At:        2018-31-10 09:42:03 UTC
        Expires:          2019-31-10 00:43:12 UTC
        Renew By:         2018-31-10 10:42:03 UTC
        Renew By Latest:  (no grace period included in license)
        Renew Interval:   1h0m0s
        Operating System: linux
        Node Fingerprint: 9b3031cbdbeeaf97f51b647525389def90200008fa1d2cde86752ca839957aac

Does the invalid fingerprint error refer to the node fingerprint I send in the request or is there something else about the request that isn’t right?

Hi Carson,

Using API directly is not recommended as you miss out on our advanced fingerprinting algo, encryption and RSA signature verification.

You will face many issues with fingerprinting where fingerprints on user machines change, not sure what you are using to create a fingerprint.

If you continue to go with the API, then make sure you set fingerprint matching strategy to “Exact” as you are using a custom fingerprint.

Did you parse the JWT activation token?

Fingerprinting is quite simple at the moment, we plan to work on it to make it more flexible. Is there any documentation on how fuzzy fingerprint matching works for future reference?

I’ve taken care of the encryption and signature verification already. My main concerns are getting fingerprinting working well enough and finding a way to implement VM detection, which is also very challenging without cgo as it typically requires particular machine-language instructions which can’t be used by go directly

I verified and decoded the JWT token and used it to inform the product of things like product features, renew times and expiration dates.

Is using PATCH /v3/activations/{id} the correct way to refresh an activation? As a fallback I’m deactivating the license and making another call to POST /v3/activations

You can’t use “fuzzy” fingerprint matching strategy with a custom fingerprint. It works only for fingerprint generated through LexActivator.

Many keys in the JWT token are abbreviated, I hope you were able to understand them properly. I can provide you with full names, in case of any ambiguity. Please do honor server sync frequency interval, that way you can control it from the dashboard.

Yes, it is the correct way. Your fallback option will only work if fingerprint doesn’t change.

Is the fuzzy matching specific to LexActivator fingerprints? As in it’s a trade secret and can’t be leveraged while using the API? Is it the same for the loose matcher?

I have set the matcher to exact, however I still get the invalid fingerprint error when using the PATCH endpoint despite the request bodies being identical for creation and updating of the activation.

Regarding the delete/create flow, it seems to me it would still work if the fingerprint changes, no? Since the delete endpoint doesn’t require a fingerprint, the subsequent activation would just contain the new token, right?

Yes, it is a trade secret. I previously mentioned that fingerprint strategy should be exact, actually for custom fingerprints this property is ignored, and the match is always exact.

Fingerprint should have been base64 encoded, we have removed this restriction for custom fingerprints and it should work now.

Yes delete/create flow will work. Since you are using API, make sure you do implement suspend/revoke functionality so that you can control it from dashboard.

Yes, it works now. Thanks for the help!

About functionality I need to implement - currently I am only building against:

  • POST /v3/activations
  • DELETE /v3/activations/{id}
  • PATCH /v3/activations/{id}

The dashboard has worked well for me so far, is that sufficient to keep it working? From what I can tell other endpoints require authorization

Yes, LexActivator uses only these three endpoints for license activation/sync/deletion. If you want to implement trials too, you will need to implement trial activation endpoints too.

1 Like