EventSub Challenge Not Reaching My Server

Hello,

I’m trying to figure out how to get Twitch to send my web server notices when someone redeems channel points. I’ve got to the point where the eventsub/subscriptions endpoint is returning JSON containing a status of webhook_callback_verification_pending, and I can see the subscription attempt if I poll all of my subscriptions, but after a few minutes the status changes to webhook_callback_verification_failed. In this time, I see no record of Twitch hitting my server. If I click the URL in the “callback” field of Twitch’s response JSON, my browser opens the callback page successfully, so they’ve got the right URL.

My callback URL is a PHP script that logs all requests to a file, and then if it recognizes an EventSub challenge request, it responds as outlined in the API documentation. The PHP script’s logging and Apache’s logging both show no evidence that anyone other than myself has accessed the script. The web site in general has traffic from other sources, but not specifically the callback script.

//My PHP code
$raw_request = file_get_contents('php://input');
$decoded_request = json_decode($raw_request);
if($decoded_request != null){
	if(isset($decoded_request->challenge)){
		//API doc text says to use this header, unsure why the length would go in content-type and not content length...
		header('Content-Type: '.strlen($decoded_request->challenge));
		//JS example in the API doc uses text/plain instead, which makes more sense.
		//header('Content-Type: text/plain');
		echo $decoded_request->challenge;
	}
}

I’ve called my own script from PostMan using the sample challenge request provided in the API documentation, and confirmed it returns a 200 status code, Content-Type is either “32” or “text/plain” depending on which of the conflicting instructions I follow, and the body contains only the sample challenge. The server does use HTTPS and is fully open to the public on a registered DNS host name (https://cowness.net), encrypted with a Let’s Encrypt cert.

Anyone have any ideas? I saw another thread where the first response was asking about the SSL cert used; could Twitch not like Let’s Encrypt?

Thanks.

  1. Check SSL Server Test (Powered by Qualys SSL Labs) for your SSL configuration to be valid
  2. Check if you have cloudflare or other firewall software blocking
  3. Check that your code doesn’t hit a URL and redirect to another location as it won’t follow redirects

I use LE so it’s not a LE issue. Most liekly a configuration or firewall. (the latter more likely)

That site gives me a B rating, citing an incomplete chain, not sure if Twitch would care about that. But it supports TLS 1.3, “Certificate” bar is at 100, “Cipher Strength” is 90.

There isn’t anything complicated like software firewalls or Cloudflare involved. Just my router and ISP, but I haven’t had any issues with my ISP blocking anything.

There shouldn’t be any redirects. I’m linking directly to a PHP script, and in Postman I’m getting a 200 status, not a 302.

That would be the issue.

You should have a fullchain file that contains usually 3 certificates.
You should be using that.

Browsers are more “lax” but you should be using a fullchain

That fixed it, thanks. I had Apache using the LE cert.pem instead of fullchain.pem for the cert chain file. Changed that, restarted Apache, and now I’m looking at “Status: Enabled” on my event sub. Cool.