Skip to content

Postponement of decommissioning

2020-03-20

Yubico has introduced a new global endpoint supporting our YubiOTP service based on the AWS platform. Most of our customers have already migrated to the new service. As a result of having some customers still using the legacy endpoints, we have decided to move the decommissioning date of the old service from March 23 to April 14, 2020.

For more details of the change, see https://status.yubico.com/2020/02/25/decommissioning-old-yubiotp-api-validation-servers/.

Decommissioning old YubiOTP API validation servers

2020-02-25

On March 23, 2020 Yubico will be decommissioning the old YubiOTP API validation servers. This is the final step of an ongoing initiative to improve reliability and scalability of the YubiOTP validation service.  If you are hardcoding the IP address of any of the API servers, then you will see responses indicating that they have been decommissioned.

These responses will look like:

status=DECOMMISSIONED
message=See https://status.yubico.com/

To ensure that you are not adversely impacted, please follow the instructions at https://status.yubico.com/2019/11/21/2019-11-21-yubicloud-service-upgrade/.

[2020-02-03] api.yubico.com service upgrade

2020-01-29

On February 3, 2020 at 23:00 UTC, we will be moving the api.yubico.com domain name to point to the modernized, cloud-based YubiOTP validation service.

This is the final domain name to be changed as part of the ongoing YubiCloud upgrades.

To ensure that you are not disrupted by this change, we recommend taking the actions listed in our previous update.

[2019-11-21] YubiCloud service upgrade

2019-11-21

On 12th November 2019, one of the YubiOTP validation API servers, api5.yubico.com, was replaced by a modernized, cloud-based YubiOTP validation service to improve reliability and scalability of the existing service. We will gradually be moving all existing domain names (api.yubico.com, api2.yubico.com, api3.yubico.com, and api4yubico.com) to point to the new service. The current (v2) YubiOTP API contract has not changed as part of this gradual upgrade.

In order to direct YubiCloud clients to the closest location, domain names pointing to the new service are geolocated to the closest endpoint to the requestor. If you have not done so already we recommend configuring your clients to point to our servers via a domain name.

To ensure that you are not disrupted by this and further planned upgrades we recommend the following actions:

  • If you have hardcoded the CA or certificate fingerprint that you use to validate the YubiOTP API servers’ identities you will need to update the hardcoded information.
  • If you have hardcoded the IP address you will need to use DNS instead. We will no longer allocate static IP addresses and will not be able to provide a list of stable addresses.
  • SNI is required as part of TLS negotiation due to the edge routing layer of our new infrastructure. For example, if you are using nginx as a forward proxy to connect to the YubiOTP validation API you may need to enable the proxy_ssl_server_name option.
  • The third-party open-source Python client library yubico-client (PyPI, GitHub) must be upgraded to version 1.12.0 or newer. Previous versions had an issue where a TLS failure on one request could be interpreted as a verification failure for the OTP itself.

Planned Changes during YubiCloud upgrade

DateAffected Server(s)Changes
12th November, 2019 (completed)api5.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI
3rd December, 2019api2.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI
January, 2020api3.yubico.com
api4.yubico.com
DNS-based routing and non-static IP address
New TLS certificate requiring SNI
Q1, 2020api.yubico.comDNS-based routing and non-static IP address
New TLS certificate requiring SNI

api.yubico.com TLS certificate renewed

2019-07-24

As mentioned earlier in this post, the TLS certificate for api.yubico.com has been renewed today, Jul 24th, 2019.

If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your configuration.

[2019-07-24] api.yubico.com TLS certificate renewal

2019-07-11

On Wednesday 24th July 2019, we will renew the TLS certificate for api.yubico.com

No service interruption is expected. If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your hard coded information.

We will write a new post once the renewal has taken place.

Maintenance on upgrade.yubico.com

2019-05-17

On Monday, May 27th, 2019 we will perform maintenance on upgrade.yubico.com.

The service will be unavailable between 10:30 and 12:30 UTC.