[2019-11-21] YubiCloud service upgrade
Incident Report for Yubico
On 12th November 2019, one of the YubiOTP validation API servers, api5.yubico.com, was replaced by a modernized, cloud-based YubiOTP validation service to improve reliability and scalability of the existing service. We will gradually be moving all existing domain names (api.yubico.com, api2.yubico.com, api3.yubico.com, and api4yubico.com) to point to the new service. The current (v2) YubiOTP API contract has not changed as part of this gradual upgrade.

In order to direct YubiCloud clients to the closest location, domain names pointing to the new service are geolocated to the closest endpoint to the requestor. If you have not done so already we recommend configuring your clients to point to our servers via a domain name.

To ensure that you are not disrupted by this and further planned upgrades we recommend the following actions:

If you have hardcoded the CA or certificate fingerprint that you use to validate the YubiOTP API servers’ identities you will need to update the hardcoded information.

If you have hardcoded the IP address you will need to use DNS instead. We will no longer allocate static IP addresses and will not be able to provide a list of stable addresses.

SNI is required as part of TLS negotiation due to the edge routing layer of our new infrastructure. For example, if you are using nginx as a forward proxy to connect to the YubiOTP validation API you may need to enable the proxy_ssl_server_name option.

The third-party open-source Python client library yubico-client (PyPI, GitHub) must be upgraded to version 1.12.0 or newer. Previous versions had an issue where a TLS failure on one request could be interpreted as a verification failure for the OTP itself.
Posted Nov 21, 2019 - 11:00 UTC