Getting “WS Security Header in the message is invalid.” when calling ACAGetTransmitterBulkRequestStatus

Question

I've been able to make successfull call to first ACA web service and I thought, that getting status would be a breeze. Bo-o-oy how I have been wrong!

I've used same settings for the status service as I did for the submit one... and I got "WS Security header is invalid error!" What gives?!?! Signature generation code is the same as I been using for submission! I would appreciate if any one would be able shed some light what possibly is wrong here? I am aware, that following tags should be digitally signed(and I do signed them):

1. ACABusinessHeader
2. ACABulkRequestTransmitterStatusDetailRequest
3. Security timestamp

Here is my Request:

POST https://la.www4.irs.gov/airp/aca/a2a/1095BC_Status_Request_AATS2016 HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "RequestSubmissionStatusDetail"
Host: la.www4.irs.gov
Content-Length: 5217
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

<s:Envelope xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <Reference URI="#_1">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>KBLc15A=</DigestValue>
                </Reference>
                <Reference URI="#_2">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>dhkLQhzfkc=</DigestValue>
                </Reference>
                <Reference URI="#TS-ccf5abbbd36940f693d56b21ab489674">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>O179zVlJnyo=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>REDUCTED</SignatureValue>
            <KeyInfo>
                <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">-- Base64ed cert ---</wsse:KeyIdentifier>
                </wsse:SecurityTokenReference>
            </KeyInfo>
        </Signature>
        <u:Timestamp u:Id="TS-ccf5abbbd36940f693d56b21ab489674">
            <u:Created>2016-04-01T15:02:00.505Z</u:Created>
            <u:Expires>2016-04-01T15:12:00.506Z</u:Expires>
        </u:Timestamp>
    </wsse:Security>
    <abh:ACABusinessHeader u:Id="_1" xmlns:abh="urn:us:gov:treasury:irs:msg:acabusinessheader">
        <UniqueTransmissionId xmlns="urn:us:gov:treasury:irs:ext:aca:air:7.0">REDUCTED</UniqueTransmissionId>
        <Timestamp xmlns="urn:us:gov:treasury:irs:common">2016-04-01T11:02:58Z</Timestamp>
    </abh:ACABusinessHeader>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <ACABulkRequestTransmitterStatusDetailRequest u:Id="_2" version="1.0" xmlns="urn:us:gov:treasury:irs:msg:irstransmitterstatusrequest">
        <ACABulkReqTrnsmtStsReqGrpDtl xmlns="urn:us:gov:treasury:irs:ext:aca:air:7.0">
            <ReceiptId xmlns="urn:us:gov:treasury:irs:common">Receit Id</ReceiptId>
        </ACABulkReqTrnsmtStsReqGrpDtl>
    </ACABulkRequestTransmitterStatusDetailRequest>
</s:Body>

UPDATE1: I am more and more convinced, that something is up on their end with our certificate and status service. It looks like they unable to map receipt id to the proper certificate. At least they conformed, that structurally there is nothing wrong with the XML, that I've been sending them. But they unable to identify the actual problem. IRS asked me to recent them my request in the email again for farther investigation, which I did. Now will wait and c what will happen.

Answer 1

Well, long story short. Status service is working now. After all back'n'forthing IRS development team removed client configurations, which where marked as deleted and after that, seems, status service got itself a spirit to work. I am a bit weary about how situation has been resolved, but if it eventually started to work - let it be!

Answer 2

(I don't have enough reputation to add a comment)

@fatherOfWine, I noticed that the InclusiveNamespaces element is missing in your Transform elements. Sorry for stating something that you might already know, the included namespaces are factored in in the canonicalization of the XML and eventually the calculation of the SHA1 digests.

Send an email to IRS' ACA Technical Support and ask them to look at their logs if the three digest values you send are passing or matching their calculations. They'll be able to at least identify which of your digest values are passing and failing their checks. Let them know the TCC and local time you sent the request.