Skip to content

[2019-07-24] api.yubico.com TLS certificate renewal

2019-07-11

On Wednesday 24th July 2019, we will renew the TLS certificate for api.yubico.com

No service interruption is expected. If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your hard coded information.

We will write a new post once the renewal has taken place.

Maintenance on upgrade.yubico.com

2019-05-17

On Monday, May 27th, 2019 we will perform maintenance on upgrade.yubico.com.

The service will be unavailable between 10:30 and 12:30 UTC.

Maintenance on upload.yubico.com

2019-04-11

On Monday, April 15th, 2019 we will perform maintenance on upload.yubico.com.

The service will be unavailable between 11:00 and 13:00 UTC.

[2019-04-02 09:00:00 UTC] Upcoming IP change to api4.yubico.com

2019-03-25

On Tuesday, April 2nd, 2019, the DNS record for api4.yubico.com will point to new addresses. Details can be found below.

Current IPv4: 78.47.118.220
Current IPv6: 2a01:4f8:c17:2bfe::2

New IPv4: 116.203.142.203
New IPv6: 2a01:4f8:c2c:313d::1

Upcoming IP changes to api, api2 and api5

2019-03-07

During March 2019, the DNS records for api.yubico.com, api2.yubico.com and api5.yubico.com
will point to new addresses. Details can be found below.

api3.yubico.com and api4.yubico.com addresses will remain the same.

[2019-03-12 09:00:00 UTC] api.yubico.com

Current IPv4: 23.253.41.154
Current IPv6: 2001:4801:7824:103:be76:4eff:fe10:77c6

New IPv4: 104.130.204.190
New IPv6: 2001:4801:7827:102:be76:4eff:fe10:6cd3
[2019-03-19 09:00:00 UTC] api5.yubico.com

Current IPv4: 109.74.193.72
Current IPv6: 2a01:7e00::f03c:91ff:fe98:2109

New IPv4: 109.237.24.116
New IPv6: 2a01:7e00::f03c:91ff:fe82:071b
[2019-03-26 09:00:00 UTC] api2.yubico.com

Current IPv4: 45.79.101.81
Current IPv6: 2600:3c01::f03c:91ff:fe37:74ec

New IPv4: 50.116.2.229
New IPv6: 2600:3c01::f03c:91ff:fe82:0768

YubiCloud no longer accepting v1 protocol, plain-text or old TLS version requests

2019-02-04

As mentioned in an earlier blog post, as of today, February 4th 2019, YubiCloud no longer accepts requests using V1 protocol, plain-text (non https) or TLS1.0 or TLS1.1 protocols.

Please see the original blog post for further details and ensure your YubiCloud clients are updated to use YubiCloud protocol V2, https and TLS1.2.

CentOS 6 and TLS1.2

2019-01-08

Recently it has come to our attention that some CentOS 6 clients, while technically supporting TLS 1.1 and TLS 1.2, still default to TLS 1.0.

This can be remedied by running the following command, which will update the respective packages to the most recently available versions.

$ sudo yum update libcurl curl nss

The following bugs, which were reported in 2015, are addressed by applying the yum update.

https://bugzilla.redhat.com/show_bug.cgi?id=1289205
https://bugzilla.redhat.com/show_bug.cgi?id=1272504

Doing so will ensure YubiCloud clients on CentOS will default, and support, TLS1.2.

This update is strongly recommended to avoid issues on 2019-02-04, when non TLS1.2 connections will be completely rejected, as mentioned in our earlier blog post.

The commands below demonstrate the issue, how the fix is applied, and finally establishing a connection with a TLS1.2-only host. Lines starting with ! denote a comment.

[vagrant@localhost ~]$ cat /etc/centos-release 
CentOS release 6.6 (Final)

! default packages included in official CentOS 6.6 release
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-37.el6_5.3
libcurl.x86_64 7.19.7-37.el6_5.3
nss.x86_64 3.16.1-14.el6 @anaconda-CentOS-201410241409.x86_64/6.6

! fails to negotiate TLS handshake (host supports TLS1.2 only)
[vagrant@localhost ~]$ curl -q -v https://developers.yubico.com

! updating to most recently available
[vagrant@localhost ~]$ sudo yum update libcurl curl nss

! packages are upgraded; curl from -37 -> -53 and nss from 3.16 to 3.36.
[vagrant@localhost ~]$ yum list installed | grep -i -e ^libcurl -e ^curl -e ^nss
curl.x86_64 7.19.7-53.el6_9 @base 
libcurl.x86_64 7.19.7-53.el6_9 @base 
nss.x86_64 3.36.0-9.el6_10 @updates

! works successfully
[vagrant@localhost ~] $ curl -q -v -o/dev/null https://developers.yubico.com

For further information about CentOS, please check the forums at https://www.centos.org/forums/