SSLHandshakeException: server certificate change is restricted during renegotiation


#1

Hi,

since last night we got “server certificate change is restricted during renegotiation” when connecting to Contacts API.

What is wrong ?

Thank you.


#2

We are getting the the same “Certificate validation failure” in all our environments since ~3pm EST yesterday afternoon


#3

Hi @TIDEV,

I temporarily mitigated the problem allowing for “unsafe SSL renegotiation” (in java just have to add the following arguments “-Djdk.tls.allowUnsafeServerCertChange=true -Dsun.security.ssl.allowUnsafeRenegotiation=true”).

Although this shouldn’t be enabled for security reasons.

It looks like load-balancing issue…


#4

Hi @TIDEV and @przemyslaw.celej

We recently made a change that would have switched the certificate authority that would be used for the SSL certificate at api.hubapi.com. If you’re having trouble validating the certificate, you may need to update the root CAs installed on your server.


#5

Thanks for the update. We just updated the root CAs and still facing the issue. Will give it another try. It worked fine at 3.37pm EST and all environments started to face the issue at 3.38pm EST yesterday ( can you confirm the switch time). Hope to have some communication channel and time window allocated for the change in the future.


#6

Hi,

I’m facing the same issue while trying to get the last emails events using the Hubspot API (https://api.hubapi.com/email/public/v1/campaigns/xxxxxxx?appId=xxxxxx&hapikey=xxxxx) from my ubuntu server.
I receive a: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
Do you guys have solved the issue?


#7

As noted above, Hubspot updated the certificate without prior notification … the main change we noted was it moved from RSA to ESDCA algorithm based certificate. Some older clients (older java version) do not support it and so may be a point of failure …


#8

@dadams, our developers finally found out that the certificate authority changed after a week investigating a broken process that communicates to the HubSpot Contacts API. That was a week that a semi-critical process was down.

I’m trying to understand what advanced notice was given for this change (which presumably broke any API access); and what forum, email distribution list, or other communication channel we need to be tapped into in order to ensure that we know about these changes before they are rolled out and our processes break. Can you please provide some guidance?

Very frustrated right now, but I’m hoping it’s not because of a communication failure on HubSpot’s part, but rather that we didn’t know where to monitor for updates.

Thanks.


#9

@dadams, we’re a HubSpot partner and we also had a client who was heavily affected by this change, which caused an outage in critical parts of their business. As @Bistream630 asks, where and how do we get notified about such changes before they happen?