YubiCloud interrupted service
Yubico is aware of disruptions to our YubiCloud service. AWS is experiencing a service outage which is impacting YubiCloud. The majority of the impact is to those requests routed to YubiCloud’s US-East region. We apologize for any inconvenience caused by the disruption to the YubiCloud service and are closely monitoring for AWS recovery. Updates will be provided here as more information becomes available.
Maintenance on upload.yubico.com
On Thursday, May 20th, 2021 we will perform maintenance on upload.yubico.com.
The service will be unavailable between 08:00 and 13:00 UTC.
One api.yubico.com; One HTTP GET
A year ago, we moved all YubiOTP validation API servers behind one common api.yubico.com endpoint, introducing a modernized, cloud-based, YubiOTP validation service to improve reliability and scalability. As a result, customers no longer need to call multiple endpoints; instead, we recommend implementing Yubico OTP support in applications using an HTTP GET request to api.yubico.com.
In order to direct YubiCloud clients to the closest location, domain names pointing to the new service are geolocated to the closest endpoint to the requestor. If you have not done so already, we recommend configuring your clients to point to our servers via the api.yubico.com domain name.
Refer to this status post from 2019 to ensure you have updated your configurations: https://status.yubico.com/2019/11/21/2019-11-21-yubicloud-service-upgrade/
The Yubico legacy client libraries in PHP, C, .NET, Perl, and Java on Github will be archived; they will not be updated to call the new endpoint. Their main benefit was to abstract the calling of multiple YubiCloud endpoints from client applications. This is no longer necessary and actually makes resulting client applications use the backwards-compatible legacy interface for YubiCloud, which is a sub-optimal solution for our customers.
By implementing the one HTTP GET call directly in client applications, customers no longer need to take a dependency on a 3rd party library in their solutions.
How to generate and verify signatures and how to construct an HTTP GET call to verify OTPs and what responses you need to handle is outlined in the Yubico OTP Validation Protocol Version 2.0 that can be found on https://developers.yubico.com/OTP/Specifications/OTP_validation_protocol.html
For more recent (and older) status.yubico.com updates, please scroll through https://status.yubico.com/
api.yubico.com unscheduled downtime
On Wednesday, November 25, 2020, starting at about 15:00 UTC Yubico became aware of an issue servicing api.yubico.com requests which were routed to YubiCloud’s US-East data center. At peak, about 2.5% of requests were receiving error responses. By 17:00 UTC, error rates had fallen to < 0.5% with complete resolution by 19:00 UTC. Only requests sent to the US-East data center were affected; all other data centers were operating normally. A retry of a failed request should have been successful.
The underlying cause was a prolonged outage of services in AWS’s US-East1 region. AWS is YubiCloud’s Cloud Platform provider. More information on the AWS outage can be found here.
We apologize for any inconvenience the disruption of YubiCloud’s service may have caused. Steps are being taken to mitigate the effects of such outages upon our customers in the future.
Postponement of decommissioning
Yubico has introduced a new global endpoint supporting our YubiOTP service based on the AWS platform. Most of our customers have already migrated to the new service. As a result of having some customers still using the legacy endpoints, we have decided to move the decommissioning date of the old service from March 23 to April 14, 2020.
For more details of the change, see https://status.yubico.com/2020/02/25/decommissioning-old-yubiotp-api-validation-servers/.
On March 23, 2020 Yubico will be decommissioning the old YubiOTP API validation servers. This is the final step of an ongoing initiative to improve reliability and scalability of the YubiOTP validation service. If you are hardcoding the IP address of any of the API servers, then you will see responses indicating that they have been decommissioned.
These responses will look like:
status=DECOMMISSIONEDmessage=See https://status.yubico.com/
To ensure that you are not adversely impacted, please follow the instructions at https://status.yubico.com/2019/11/21/2019-11-21-yubicloud-service-upgrade/.
[2020-02-03] api.yubico.com service upgrade
On February 3, 2020 at 23:00 UTC, we will be moving the api.yubico.com domain name to point to the modernized, cloud-based YubiOTP validation service.
This is the final domain name to be changed as part of the ongoing YubiCloud upgrades.
To ensure that you are not disrupted by this change, we recommend taking the actions listed in our previous update.
[2019-11-21] YubiCloud service upgrade
On 12th November 2019, one of the YubiOTP validation API servers, api5.yubico.com, was replaced by a modernized, cloud-based YubiOTP validation service to improve reliability and scalability of the existing service. We will gradually be moving all existing domain names (api.yubico.com, api2.yubico.com, api3.yubico.com, and api4yubico.com) to point to the new service. The current (v2) YubiOTP API contract has not changed as part of this gradual upgrade.
In order to direct YubiCloud clients to the closest location, domain names pointing to the new service are geolocated to the closest endpoint to the requestor. If you have not done so already we recommend configuring your clients to point to our servers via a domain name.
To ensure that you are not disrupted by this and further planned upgrades we recommend the following actions:
- If you have hardcoded the CA or certificate fingerprint that you use to validate the YubiOTP API servers’ identities you will need to update the hardcoded information.
- If you have hardcoded the IP address you will need to use DNS instead. We will no longer allocate static IP addresses and will not be able to provide a list of stable addresses.
- SNI is required as part of TLS negotiation due to the edge routing layer of our new infrastructure. For example, if you are using nginx as a forward proxy to connect to the YubiOTP validation API you may need to enable the proxy_ssl_server_name option.
- The third-party open-source Python client library yubico-client (PyPI, GitHub) must be upgraded to version 1.12.0 or newer. Previous versions had an issue where a TLS failure on one request could be interpreted as a verification failure for the OTP itself.
Planned Changes during YubiCloud upgrade
| Date | Affected Server(s) | Changes |
|---|---|---|
| 12th November, 2019 (completed) | api5.yubico.com | DNS-based routing and non-static IP address New TLS certificate requiring SNI |
| 3rd December, 2019 | api2.yubico.com | DNS-based routing and non-static IP address New TLS certificate requiring SNI |
| January, 2020 | api3.yubico.com api4.yubico.com | DNS-based routing and non-static IP address New TLS certificate requiring SNI |
| Q1, 2020 | api.yubico.com | DNS-based routing and non-static IP address New TLS certificate requiring SNI |
api.yubico.com TLS certificate renewed
As mentioned earlier in this post, the TLS certificate for api.yubico.com has been renewed today, Jul 24th, 2019.
If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your configuration.
On Wednesday 24th July 2019, we will renew the TLS certificate for api.yubico.com
No service interruption is expected. If you have pinned the CA or certificate fingerprint (not recommended), you will need to update your hard coded information.
We will write a new post once the renewal has taken place.
Yubico Server Status 