Discussion for "REST API SSL certificate update"


#1

Please use this thread to discuss [node:23084]


#2

Hello, how can I make sure I will not have issues when the certificate change is done? I use https connection from a Windows desktop app (.NET framework). I guess I shouldn’t have problem, but is there a development environment to test?

Thank you


#3

Hi Karl,

We are planning to open some test windows in the next weeks, I’ll publish in this thread soon.

As an alternative, userstream.twitter.com certificate was updated in beginning of November and it’s using the same certificate that will be deployed in REST API. You can send a HEAD request to [node:10392,title=“User streaming endpoint”] to check if your are already trusting the right certificates. If this is not the ideal test environment for you, please, subscribe to this thread to know when we are going to open the test window.


#4

A test window will be available on Tuesday, December 3rd. It will available around 11:30am PST. Subscribe to this discussion to receive test details.


#5

Confirming that tomorrow (Dec 3rd), from 11:30am to 1pm PST, the servers at api.twitter.com will have the new certificate deployed. After this period a rollback will be done. This is a great opportunity to check if your application is trusting the new certificates that will be permanently deployed in Dec 10th, 2013 (see [node:23084])

If your application gets impacted by this test, the action required is to include the new root certificates in your servers and make sure all HTTP clients are aware of them.

Please, also make sure you have certificate verification always enabled when using Twitter APIs.


#6

Has the certificate been installed? Some of my requests work others do not. Also when going to api.twitter.com I sometimes get the old version and sometimes the new one. I noticed to that the newer certificate only started showing for me an hour later 11:30am PST.


#7

can you confirm if the rollback was indeed 1pm PST. Still having some issues almost 30 mins after 1pm PST.


#8

We have seen a new problem on two different sites that is preventing twitter app login using the API since around 20:30 UTC on the 3rd (about 2.5 hrs ago).

We have tested other aspects of the API, and they seem to work just fine (tweet, retweet, favouriting etc).

It is just the last step to get the access token after the callback to ‘finalize’ that’s is failing, we get a 403. This has been tested also on multiple hosts, as well as with the different apps with the same result. Also both hosts have the correct time set.

FWIW, using curl it seems we are still getting the new certificate coming through :

issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa ©09; CN=VeriSign Class 3 Secure Server CA - G2


#9

This seems to have broken twitter4j 3.0.3 (and older, I’m assuming). An upgrade to 3.0.5 fixed my application.


#10

The rollback started at 1pm PST and it can take up to one hour to affect all servers. So it’s expected to still have issues after this period if your app isn’t trusting the new certificates.


#11

OK, yes, seems some old code that was working up to today is now not working.

Found a single old reference to a http:// endpoint in our code that had been working just fine up until today, changed it to https:// and all is working again.

So if you’re seeing issues, look for any remaining non SSL references in your code as these appear to have been only finally fully deprecated today.


#12

Thanks for the details John, this looks like an unrelated but similarly timed issue. While definitely you should be using SSL on these methods, the enforcement shouldn’t be occurring right now. I’ll see what’s up.


#13

I ran into the same issue as well. Our code was connecting with Twitter over HTTP instead of HTTPS, and after changing it to HTTPS all is well again.

I am VERY curious as to why connections over HTTP isn’t working with the new certificate… Any ideas?


#14

The issues with oauth/access_token and using HTTP should now be resolved. It was unrelated and only coincidental to the SSL certificate changes.


#15

A got never see @stevendastine


#16

Update: the new certificates were deployed successfully.


#17

hello, I downloaded the root package for VeriSign Certificates (roots.zip file)
and then what should I do?
I’m using centos5 and php
My problem is

  1. I don’t know how to update VeriSign Certificates on my server. I’m using CentOS.5.xx
    I found this /etc/pki/tls/certs/ca-bundle.crt
  2. I couldn’t find -3 option in curl commands…
    curl -3 -capath --ssl https://api.twitter.com
    and -capath means /etc/pki/tls/certs/ca-bundle.crt ??
  3. I looked up EpiCurl.php that I’m using but I couldn’t find the place where I can put these
    1.curl_setopt($connection, CURLOPT_SSL_VERIFYPEER, True);
    2.curl_setopt($connection, CURLOPT_SSL_VERIFYHOST, 2);
    3.curl_setopt($connection, CURLOPT_CAINFO, “path:/ca-bundle.crt”);

Thank you inadvance.


#18

There’s no need to change the library you’re using, in PHP there’s a global configuration you can change (for PHP 5.3.7 or superior):

  1. download http://curl.haxx.se/ca/cacert.pem and save it somewhere. (this pem file already has Verisign root needed for api.twitter.com)
  2. update php.ini – add curl.cainfo = “PATH_TO/cacert.pem”

Otherwise you will need to do the following for every cURL resource:

curl_setopt ($ch, CURLOPT_CAINFO, “PATH_TO/cacert.pem”);

Reference: http://stackoverflow.com/a/16495053/2933153


#19

I followed the 1, 2 and restarted Apache
and added CURLOPT_CAINFO like this but it doesn’t work yet…
protected function curlInit($url)
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $this->headers);
curl_setopt($ch, CURLOPT_TIMEOUT, $this->requestTimeout);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->connectionTimeout);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
if(isset($_SERVER [‘SERVER_ADDR’]) && !empty($_SERVER[‘SERVER_ADDR’]) && $_SERVER[‘SERVER_ADDR’] != ‘127.0.0.1’)
curl_setopt($ch, CURLOPT_INTERFACE, $_SERVER [‘SERVER_ADDR’]);

if($this->useSSL === true)
{

// curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
// curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, “/home/cacert.pem”);
}
return $ch;
}


#20

solved it
//if($this->useSSL === true)
// {
// curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
// curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, “/home/cacert.pem”);
// }
return $ch;

Thank you for helping me a lot! :slight_smile: