Skip to content

[2019-11-21] YubiCloud service upgrade

2019-11-21

On 12th November 2019, one of the YubiOTP validation API servers, api5.yubico.com, was replaced by a modernized, cloud-based YubiOTP validation service to improve reliability and scalability of the existing service. We will gradually be moving all existing domain names (api.yubico.com, api2.yubico.com, api3.yubico.com, and api4yubico.com) to point to the new service. The current (v2) YubiOTP API contract has not changed as part of this gradual upgrade.

In order to direct YubiCloud clients to the closest location, domain names pointing to the new service are geolocated to the closest endpoint to the requestor. If you have not done so already we recommend configuring your clients to point to our servers via a domain name.

To ensure that you are not disrupted by this and further planned upgrades we recommend the following actions:

  • If you have hardcoded the CA or certificate fingerprint that you use to validate the YubiOTP API servers’ identities you will need to update the hardcoded information.
  • If you have hardcoded the IP address you will need to use DNS instead. We will no longer allocate static IP addresses and will not be able to provide a list of stable addresses.
  • SNI is required as part of TLS negotiation due to the edge routing layer of our new infrastructure. For example, if you are using nginx as a forward proxy to connect to the YubiOTP validation API you may need to enable the proxy_ssl_server_name option.
  • The third-party open-source Python client library yubico-client (PyPI, GitHub) must be upgraded to version 1.12.0 or newer. Previous versions had an issue where a TLS failure on one request could be interpreted as a verification failure for the OTP itself.

Planned Changes during YubiCloud upgrade

DateAffected Server(s)Changes
12th November, 2019 (completed)api5.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI
3rd December, 2019api2.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI
January, 2020api3.yubico.com
api4.yubico.com
DNS-based routing and non-static IP address
New TLS certificate requiring SNI
Q1, 2020api.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI

api.yubico.com TLS certificate renewed

2019-07-24

As mentioned earlier in this post, the TLS certificate for api.yubico.com has been renewed today, Jul 24th, 2019.

If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your configuration.

[2019-07-24] api.yubico.com TLS certificate renewal

2019-07-11

On Wednesday 24th July 2019, we will renew the TLS certificate for api.yubico.com

No service interruption is expected. If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your hard coded information.

We will write a new post once the renewal has taken place.

Maintenance on upgrade.yubico.com

2019-05-17

On Monday, May 27th, 2019 we will perform maintenance on upgrade.yubico.com.

The service will be unavailable between 10:30 and 12:30 UTC.

Maintenance on upload.yubico.com

2019-04-11

On Monday, April 15th, 2019 we will perform maintenance on upload.yubico.com.

The service will be unavailable between 11:00 and 13:00 UTC.

[2019-04-02 09:00:00 UTC] Upcoming IP change to api4.yubico.com

2019-03-25

On Tuesday, April 2nd, 2019, the DNS record for api4.yubico.com will point to new addresses. Details can be found below.

Current IPv4: 78.47.118.220
Current IPv6: 2a01:4f8:c17:2bfe::2

New IPv4: 116.203.142.203
New IPv6: 2a01:4f8:c2c:313d::1

Upcoming IP changes to api, api2 and api5

2019-03-07

During March 2019, the DNS records for api.yubico.com, api2.yubico.com and api5.yubico.com
will point to new addresses. Details can be found below.

api3.yubico.com and api4.yubico.com addresses will remain the same.

[2019-03-12 09:00:00 UTC] api.yubico.com

Current IPv4: 23.253.41.154
Current IPv6: 2001:4801:7824:103:be76:4eff:fe10:77c6

New IPv4: 104.130.204.190
New IPv6: 2001:4801:7827:102:be76:4eff:fe10:6cd3
[2019-03-19 09:00:00 UTC] api5.yubico.com

Current IPv4: 109.74.193.72
Current IPv6: 2a01:7e00::f03c:91ff:fe98:2109

New IPv4: 109.237.24.116
New IPv6: 2a01:7e00::f03c:91ff:fe82:071b
[2019-03-26 09:00:00 UTC] api2.yubico.com

Current IPv4: 45.79.101.81
Current IPv6: 2600:3c01::f03c:91ff:fe37:74ec

New IPv4: 50.116.2.229
New IPv6: 2600:3c01::f03c:91ff:fe82:0768