Twitter API SSL Root CA Certificate

rno
@rno Arnaud Meunier

Hey developers,

You might have noticed we changed the SSL certificate for the api.twitter.com domain. If you're getting errors, you probably just need to install the new Root CA Certificate. You can obtain it directly from Verisign, or from this direct link: http://curl.haxx.se/ca/cacert.pem

  1. i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network

For your Java Applications, be sure to have it installed in the Java Keychain, and think to restart your application. Note we also switched the IP to dedicated VIPs, so clearing your DNS Cache might also be necessary.

Update: If you need to get a list of PEM encoded certificates (including the Verisign one), we actually recommend the usage of Adam Langley's extract-nss-root-certs tool, rather than downloading the cacert.pem file from haxx.se. Take a look on https://github.com/agl/extract-nss-root-certs for more info.

2 years 39 weeks ago

Replies

donnykurnia
@donnykurnia Donny Kurnia

Hi,

Since 15 July I got this exception in the production server:

A OpenSSL::SSL::SSLError occurred in #:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
/home/vortex/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/net/http.rb:586:in `connect'

Is this related with the certificate changes? Can you point me on how to update the certificate file in the ubuntu server?

Thanks.

2 years 38 weeks ago
rno
@rno Arnaud Meunier

Hey Donny,

Be sure to drop the http://curl.haxx.se/ca/cacert.pem file in the directory you're loading certificates from. I think it's in /usr/share/ca-certificates on an Ubuntu distribution.

2 years 38 weeks ago
SocialStay
@SocialStay SocialStay

Tried uploading the root certificate, but seem to still be getting the same issue. We're doing a
redirect to the authorization url from our server to circumvent XHR issues on our ajax calls.

The error is being thrown when instantiating a new connection with the Faraday gem to initially
talk to twitter before we grab the request token. Here is the code section that's causing the issue:

def self.oauth_establish_twitter_connection
Faraday.new(:url => 'https://api.twitter.com') do |conn|
conn.request :url_encoded
conn.adapter :net_http
end
end

Any help would be appreciated. This seems to only occur on staging but is not an issue on development.

2 years 37 weeks ago
donnykurnia
@donnykurnia Donny Kurnia

Hi,

Today I finally found a solution. It turn out that omniauth gem read the /etc/ssl/certs/ca-certificates.crt while I have download the latest certificate from http://certifie.com/ca-bundle/ca-bundle.crt.txt as /etc/ssl/certs/ca-bundle.crt.

So, I just backup the original /etc/ssl/certs/ca-certificates.crt then
cp /etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

Suddenly, twitter oauth working again in production server.

Hope this help other that have similar problems.

See also: https://github.com/intridea/omniauth/issues/404#issuecomment-1715745

2 years 37 weeks ago
jesusCristo6
@jesusCristo6 jesusmelcky

preciso de revogar meu sertificado

2 years 32 weeks ago
faye0412
@faye0412 faye

:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

how to resolve this problem? thanks all...

2 years 26 weeks ago
faye0412
@faye0412 faye

fixed..

2 years 26 weeks ago
abelard2008
@abelard2008 pengcz

can you tell me how to fix it? thks in advance!

2 years 23 weeks ago
marcjacobsdev
@marcjacobsdev Marc Jacobs Developm

Hi Fay20412,

I am getting same error in my code during oAuth, can you please provide me steps how to solve the issue, also if possible plz let me know how to add certificates in my application

Thanks

17 weeks 4 days ago
joexpert1
@joexpert1 Joel Thompson

how do you install the "Root CA Certificate" on windows? Faye0412, how did you fix this?

2 years 26 weeks ago
ismailsunni
@ismailsunni Ismail Sunni

have you solved the problem? i'm developing in python 2.7, in windows 7, using tweepy 1.8. I dont understand where I have to put the certificate...

2 years 9 weeks ago
abelard2008
@abelard2008 pengcz

hi, all
for testing streaming API (with SSL Root CA Certificate) in java, Fedora 12,
first, I saved the following contents between BEGIN and END in http://curl.haxx.se/ca/cacert.pem into ca-certificates.crt

Verisign Class 3 Public Primary Certification Authority - G2

-----BEGIN CERTIFICATE-----
MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFy
eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMB4XDTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFy
eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCO
FoUgRm1HP9SFIIThbbP4pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71
lSk8UOg013gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSkU01UbSuvDV1Ai2TT
1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7iF6YM40AIOw7n60RzKprxaZLvcRTD
Oaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpYoJ2daZH9
-----END CERTIFICATE-----

second, I ran the following command:
[abelard@dillon twitterApp]$ keytool -import -alias twitterApp -file ./ca-certificates.crt
I found the file .keystore was created in the directory ~/, and then I copied the file .keystore to the directory:
/software/spring-mvc/jdk1.6.0_22/jre/lib/security/

third, I executed a latest Twitter4j(2.2.5) example(ex. firehose), but I got the classic error as follows:
[Tue Nov 08 18:28:37 CET 2011]sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetRelevant discussions can be on the Internet at:

What should I do? please tell me ,thanks a lot

2 years 23 weeks ago
ColdTrain_Fools
@ColdTrain_Fools ColdTrain Marciano

I am sill seeing the security error on my computer, what do i do?

2 years 17 weeks ago
wundercounter
@wundercounter Olaf Alders

If you're seeing this issue with the Perl Net::Twitter module, you may be using an outdated version of the Mozilla::CA module. In my case, updating Mozilla::CA cleared up the problem.

  1. cpanm Mozilla::CA
2 years 10 weeks ago
netik
@netik John Adams

Please note that in the upcoming days this will change again, to the G3 root. Make sure your clients and libraries trust the Verisign G2 and G3 roots. Most do.

1 year 51 weeks ago
David_Horowitz
@David_Horowitz David C. Horowitz

How do you use this with .NET.......

18 weeks 1 day ago
beingBadtameezz
@beingBadtameezz Being Badtameez

Hello,
I am facing an issue in generating PEM encoded certificates. for twitter api SSL support.
I have used Adam Langley's "extract-nss-root-certs" for generating PEM encoded certificates and also installed "Go" language on my system, but when I am executing "convert_mozilla_certdata.go" for generating PEM certificate, an error gets generated.

[Error - Failed to parse certificate starting on line 25167: x509: negative serial number]

Please refer to the generated Error Log below:

$ go run convert_mozilla_certdata.go > certdata.new
2014/01/22 12:20:22 Failed to parse certificate starting on line 25167: x509: negative serial number
$
$
$

Please let me know the solution for the same.

regards,
Deepak

12 weeks 3 days ago
mzapatahe
@mzapatahe Mauricio Zapata

hello i try to post automatic in python but i cant, i dont know what
the error is

aise TweepError(error_msg, resp)
tweepy.error.TweepError: [{'message': 'SSL is required', 'code': 92}]

i dont know how i can fix it

3 weeks 6 days ago