Maintenance Notifications

We are updating the SSL certificate used for the following endpoints on December 12, 2018:

Production Endpoints:

zuora.com

api.zuora.com

rest.zuora.com

static.zuora.com

Action may be required on your part prior to December 12, 2018

When will these changes take effect on the Zuora side?

December 12, 2018 starting at 1am through 11am

How will this change impact me?

 Your integration may stop functioning if your systems do not trust the correct root and intermediate certificate.

* Important Note: Some applications require a restart even if the trusted root store is in place in order to use the new certificate for SSL connections.

What action must I take?

If the Root and Intermediate Certificates are not trusted by your applications or libraries, you must complete the following actions before the scheduled maintenance to avoid any potential service disruption. Zuora cannot determine if you are impacted, so you will need to work with your technology teams to determine what actions for this certificate update.  

Download and install the Appropriate Root Certificate Bundle

If your integration does not trust the Comodo Root Certificates, then the certificate must be imported into your applications trusted CA store.

Follow these steps to download the Comodo Root Certificates:

1. The CA Certificates can be downloaded from the links below:

https://knowledgecenter.zuora.com/BB_Introducing_Z_Business/Policies/Full_Certification_Chain

You will need the zuora-com-root.cer and zuora-com-intermediate.cer for the following sites:

zuora.com

api.zuora.com

rest.zuora.com

static.zuora.com

What happens if I take no action?

If the Root Certificate is not trusted by your integration, and you take no action, your systems will not be able to connect to the Zuora Production endpoint  after this change is implemented. Please discuss this change with your technology teams to ensure you take the appropriate actions.

You are encouraged to register to the Zuora Community in order to receive the latest update on this topic.

Thank you for your support as it allows us to maintain the highest security standards at Zuora ensuring the safety of your data.

Best Regards,

Zuora Support Services & Community

@scottb

Did not the following SSL certificate update be carried out in previous maintenance?:

*.zuora.com

https://community.zuora.com/t5/Release-Notifications/ACTION-REQUIRED-Maintenance-to-Update-SSL-Certificate-for-zuora/ba-p/24856

@scott

Does this maintenance include the following endpoints? :

www.zuora.com

Q: Did not the following SSL certificate update be carried out in previous maintenance?: *.zuora.com

A: This is a separate maintenance, related to endpoint fronted by *.zuora.com (eg, www.zuora.com, api.zuora.com, static.zuora.com, etc)

Q: Does this maintenance include the following endpoints? : www.zuora.com

A: Yes

Is there any way to test this prior to the deployment in production? Maybe similar to the last procedure mentioned earlier?

I believe that a keystore which now works for connecting to the sandbox environment should also work for the production environment, if I understand anything about what has happened with these upgrades.

Someone from Zuora please correct me if that's wrong, however!

@scottb

>December 12, 2018 starting at 1am through 11am

Is the time zone PST?

Yes, all times are Pacific Time

Hi,

Our integration with Zuora is around Zuora SOAP API & Hosted Payment Method.

I am not aware of any certificates we currently use.

How can I be sure if we are exempt from updating the certificate as part of this update?

Hi Team,

Does this SSL update include the following project? Please let us know as soon as possible.

Project: MicroFocus

Tenant:  6444

Regards,

Bala.

As stated above, Zuora cannot determine impact to your integrations.  You will need to work with your technology teams to asses if you need to update integration certificates.  This impacts all production tenants using the cited endpoints as per the original article.

Hi Zuora team,

Can you please provide a POC for this certificate update? Who can we reach out to in case of an emergency?

Thanks!

Hi @czarco

Please reach out to Zuora support for any issues resulting in this deployment that cannot be addressed locally through your own technology and security teams.   As for POC, I'm not familair with that aconym in this context.  Can you explain further?

Hi scott,

POC stands for point of contact, so I am assuming that we should reach to Zuora support for any issues?

Correct - Support will be your primary point of contact if there is any issues on your end as outlined above.

Is the SSL certificate already updated for your sandbox endpoints so that we can run tests before the upgrade in production?

Hi @gbarak

The apisandbox certificate is different so testing here doesn't apply.  I'll post an "unofficial" method you could test SSL connections to the same certificate in our staging environments below.

Hi everyone

Attached you will find aa sample test method you could use to test the new certs which are setup in our Akamai STAGING environment. This method requires you to redirect the traffic using an/etc/hosts file to direct the traffic with the correct header for SPI.

If you choose to do this testing, please keep the following under advisement:

1. DO NOT run this test process in your actual production environment, and please do not proceed unless you understand the method being suggested - we encourage you to work with your integration and IT teams to validate
2. Please be aware that this test process is supplied as-is as a sample process. We will not provide support for this process.
3. This test will allow you to test SSL connections only. A successful connection confirms your integration is capable of passing the certificate check during the initial SSL negotiation. The core Zuora APIs, while available, may not function as per our Production standards and will not have your data or authentication setup.

https://drive.google.com/file/d/1BojkDdBGalti_NIky5VVghF8RA4C7ePh/view?usp=sharing

Hi,

Will the intermediate certificate be included in the certificate chain from the production servers or not? Zuora best-practices (stated on the other thread) explicitly say that a server will send the entire cert chain, but as I already pointed out on that post, the PT1 servers do not do this.

Will the production servers do it or not? This matters, because it changes what we need to put in our keystores. I have had this question open and unanswered on the other thread since October 12. It's now nearly 2 months later, will it be possible to get an answer now that we're about to change production?

Thanks,

Ben

HI Team,

Could you please let us know the status of the maintenance?

Regards,

Bala.

Hi folks

We received confirmation from our CDN (Akamai) that the SSL Certificate deployment has been completed.  

Hello,

We never needed to upload a certificate when we adopted Zuora and all of our API calls from Salesforce to Zuora seem to be working just fine. However, as of about an hour ago we cannot access anything on the Connect platform. Receiving error message: {"message":"no route and no API found with those values"}

Could this be related?

There is a Connect App incident: https://trust.zuora.com/incidents/q2pvpf4tvh0t

Hi folks

We have an ongoing incident running for the connect incident on the Zuora side since it was reporeted which is being handled with our highest priority.  I can confirm this is NOT connected to the SSL Certificate Deployment outlined on this thread.  We will continue to keep customers updated per the trust incident posted and invidual support tickets accordingly.  

Hello,

Could you confirm me that Services3xx environment (Production copy) are not impacted with this SSL certificat update ?

Hi @LE04935_TCS

According to the original article above, services endpoints are not included in the SSL certificate update, so are not in scope for the change.