Skip to content

[2020-02-03] api.yubico.com service upgrade

2020-01-29

On February 3, 2020 at 23:00 UTC, we will be moving the api.yubico.com domain name to point to the modernized, cloud-based YubiOTP validation service.

This is the final domain name to be changed as part of the ongoing YubiCloud upgrades.

To ensure that you are not disrupted by this change, we recommend taking the actions listed in our previous update.

[2019-11-21] YubiCloud service upgrade

2019-11-21

On 12th November 2019, one of the YubiOTP validation API servers, api5.yubico.com, was replaced by a modernized, cloud-based YubiOTP validation service to improve reliability and scalability of the existing service. We will gradually be moving all existing domain names (api.yubico.com, api2.yubico.com, api3.yubico.com, and api4yubico.com) to point to the new service. The current (v2) YubiOTP API contract has not changed as part of this gradual upgrade.

In order to direct YubiCloud clients to the closest location, domain names pointing to the new service are geolocated to the closest endpoint to the requestor. If you have not done so already we recommend configuring your clients to point to our servers via a domain name.

To ensure that you are not disrupted by this and further planned upgrades we recommend the following actions:

  • If you have hardcoded the CA or certificate fingerprint that you use to validate the YubiOTP API servers’ identities you will need to update the hardcoded information.
  • If you have hardcoded the IP address you will need to use DNS instead. We will no longer allocate static IP addresses and will not be able to provide a list of stable addresses.
  • SNI is required as part of TLS negotiation due to the edge routing layer of our new infrastructure. For example, if you are using nginx as a forward proxy to connect to the YubiOTP validation API you may need to enable the proxy_ssl_server_name option.
  • The third-party open-source Python client library yubico-client (PyPI, GitHub) must be upgraded to version 1.12.0 or newer. Previous versions had an issue where a TLS failure on one request could be interpreted as a verification failure for the OTP itself.

Planned Changes during YubiCloud upgrade

DateAffected Server(s)Changes
12th November, 2019 (completed)api5.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI
3rd December, 2019api2.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI
January, 2020api3.yubico.com
api4.yubico.com
DNS-based routing and non-static IP address
New TLS certificate requiring SNI
Q1, 2020api.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI

api.yubico.com TLS certificate renewed

2019-07-24

As mentioned earlier in this post, the TLS certificate for api.yubico.com has been renewed today, Jul 24th, 2019.

If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your configuration.

[2019-07-24] api.yubico.com TLS certificate renewal

2019-07-11

On Wednesday 24th July 2019, we will renew the TLS certificate for api.yubico.com

No service interruption is expected. If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your hard coded information.

We will write a new post once the renewal has taken place.

Maintenance on upgrade.yubico.com

2019-05-17

On Monday, May 27th, 2019 we will perform maintenance on upgrade.yubico.com.

The service will be unavailable between 10:30 and 12:30 UTC.

Maintenance on upload.yubico.com

2019-04-11

On Monday, April 15th, 2019 we will perform maintenance on upload.yubico.com.

The service will be unavailable between 11:00 and 13:00 UTC.

[2019-04-02 09:00:00 UTC] Upcoming IP change to api4.yubico.com

2019-03-25

On Tuesday, April 2nd, 2019, the DNS record for api4.yubico.com will point to new addresses. Details can be found below.

Current IPv4: 78.47.118.220
Current IPv6: 2a01:4f8:c17:2bfe::2

New IPv4: 116.203.142.203
New IPv6: 2a01:4f8:c2c:313d::1