Maintenance Notifications

This Service Advisory is for informational purposes only. There is no action required from customers for this change. The SSL certificate for production is expiring on January 1 2018 and as a part of routine maintenance, we are renewing the certificate. Because the root and intermediate certificates are not changing, and the event does not require downtime, this change will be transparent for all customers and API integrations. There is no action for customers for this change.

When will these changes take effect?

• The change will occur on December 20, 2017, from 7:00 AM to 12:00 PM December 21 2017,8:30 AM to 1:30 PM Pacific Time. This is a zero downtime deployment, therefore there is no expected service interruption.

Which Zuora URLs does this change effect?

This change will only affect the following production URLs:

1. https://www.zuora.com
2. https://api.zuora.com
3. https://static.zuora.com
4. https://rest.zuora.com

Do I need to take action?

Customers DO NOT need to take any action. This is a routine change that will be transparent for all customers and API integrations.

Zuora Global Support is readily available to answer any additional questions you may have. Please contact us at +1-650-779-4993 or at support@zuora.com.

Best Regards,

Zuora Customer Support Services & Community

Hi Scott, 

Can Zuora publish the new certificate please? We're still working through our SSL keystore implementation and will need that ahead of time.

Kind thanks,

Ben

Hi @btemko

I've added the crt file to the original post above as an attachment.  

Enjoy

Scott

@scottb 

A little confused. The first certificate doesn't appear to be related to the current API chain. 

The second is unparseable.

The third looks like the Intermediary cert that signed the current API cert.

Need clarity on this ASAP please!

Thanks,

Ben

Hello Ben,

Thank you for catching the parsing error for Digicert Root CA Certificate. We have uploaded an updated version of cert that should work good. In updated version of bundle, here is how you will see the chain. 

CN=DigiCert Global CA G2 (Intermediate)
CN=DigiCert Global Root G2 (Primary Root)
CN=VeriSign Class 3 Public Primary Certification Authority - G5 (Cross Root)

The new certificate chains up to original (and current) VeriSign root CA certificate. 

Best

Bibek

Good morning!

We are delaying certificate deployment start in production until 12:00pm (Noon) PST. Deployment process will take approximately 5 hours to propagate through Akamai's network.  We will post again once the deployment starts.  Thank you 

Scott

We are moving the maintenance for certificate deployment in the Production environment to 8:30 AM to 1:30 PM PST, Dec 21st. Deployment process will take approximately 5 hours to propagate through Akamai's network.  We will post again once the deployment starts.  Thank you for your understanding. 

Greetings!

We have begun our deployment process for this change.  This will take 4-6 hours to fully propogate through Akamai's network

@scottb we are experiencing issues today and we suspect it is due to the TLS certificate. Is this related to the issue above. I already filed a support ticket with zuora #138544

Hi @abdallahalhakim

I've reviewed the Support case you referenced and it seems like the issue is solved at this time.  

Let me take this opportunity to explain why sometimes these certificate renewals can trigger issues with some integrations. If, for example, your integration is pinning our public SSL certificate in your trust store, or if you are not properly importing the root CA per our documentation, this could cause SSL errors following our deployment. Likewise, if your integration code elects to cache SSL certificates (again, contrary to common practice), this could cause SSL errors as well. Most integrations seem to have no issue with this however we have noticed that some do.

If your code was impacted by this issue, I would encourage anyone impacted to please share details here. Else, we could encourage you to work with your internal teams and Zuora support to address any problems you might have encountered.

@scottb thanks for the additional information. We seem to have an issue with our setup and your comments are very helpful. We are opening an internal RCA to investigate this and put a solution to prevent it from happening.