SSLHandshakeException: server certificate change is restricted during renegotiation

przemyslawcelej · ‎Dec 20, 2017

Hi,

since last night we got “server certificate change is restricted during renegotiation” when connecting to Contacts API.

What is wrong ?

Thank you.

Report Inappropriate Content · ‎Dec 21, 2017

Hi,

I’m facing the same issue while trying to get the last emails events using the Hubspot API (https://api.hubapi.com/email/public/v1/campaigns/xxxxxxx?appId=xxxxxx&hapikey=xxxxx) from my ubuntu server.
I receive a: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
Do you guys have solved the issue?

TIDEV · ‎Dec 22, 2017

As noted above, Hubspot updated the certificate without prior notification … the main change we noted was it moved from RSA to ESDCA algorithm based certificate. Some older clients (older java version) do not support it and so may be a point of failure …

TIDEV · ‎Dec 20, 2017

Thanks for the update. We just updated the root CAs and still facing the issue. Will give it another try. It worked fine at 3.37pm EST and all environments started to face the issue at 3.38pm EST yesterday ( can you confirm the switch time). Hope to have some communication channel and time window allocated for the change in the future.

Dadams · ‎Dec 20, 2017

Hi @TIDEV and @przemyslaw.celej

We recently made a change that would have switched the certificate authority that would be used for the SSL certificate at api.hubapi.com. If you’re having trouble validating the certificate, you may need to update the root CAs installed on your server.

JamiesonC · ‎Dec 28, 2017

@dadams, our developers finally found out that the certificate authority changed after a week investigating a broken process that communicates to the HubSpot Contacts API. That was a week that a semi-critical process was down.

I’m trying to understand what advanced notice was given for this change (which presumably broke any API access); and what forum, email distribution list, or other communication channel we need to be tapped into in order to ensure that we know about these changes before they are rolled out and our processes break. Can you please provide some guidance?

Very frustrated right now, but I’m hoping it’s not because of a communication failure on HubSpot’s part, but rather that we didn’t know where to monitor for updates.

Thanks.

TomBennett · ‎Jan 15, 2018

@dadams, we’re a HubSpot partner and we also had a client who was heavily affected by this change, which caused an outage in critical parts of their business. As @Bistream630 asks, where and how do we get notified about such changes before they happen?

przemyslawcelej · ‎Dec 20, 2017

Hi @TIDEV,

I temporarily mitigated the problem allowing for “unsafe SSL renegotiation” (in java just have to add the following arguments “-Djdk.tls.allowUnsafeServerCertChange=true -Dsun.security.ssl.allowUnsafeRenegotiation=true”).

Although this shouldn’t be enabled for security reasons.

It looks like load-balancing issue…

TIDEV · ‎Dec 20, 2017

We are getting the the same “Certificate validation failure” in all our environments since ~3pm EST yesterday afternoon

APIs & Integrations