Twitter API SSL Root CA Certificate

@rno Arnaud Meunier

Hey developers,

You might have noticed we changed the SSL certificate for the domain. If you're getting errors, you probably just need to install the new Root CA Certificate. You can obtain it directly from Verisign, or from this direct link:

  1. i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network

For your Java Applications, be sure to have it installed in the Java Keychain, and think to restart your application. Note we also switched the IP to dedicated VIPs, so clearing your DNS Cache might also be necessary.

Update: If you need to get a list of PEM encoded certificates (including the Verisign one), we actually recommend the usage of Adam Langley's extract-nss-root-certs tool, rather than downloading the cacert.pem file from Take a look on for more info.

2 years 39 weeks ago


@donnykurnia Donny Kurnia


Since 15 July I got this exception in the production server:

A OpenSSL::SSL::SSLError occurred in #:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
/home/vortex/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/net/http.rb:586:in `connect'

Is this related with the certificate changes? Can you point me on how to update the certificate file in the ubuntu server?


2 years 38 weeks ago
@rno Arnaud Meunier

Hey Donny,

Be sure to drop the file in the directory you're loading certificates from. I think it's in /usr/share/ca-certificates on an Ubuntu distribution.

2 years 38 weeks ago
@SocialStay SocialStay

Tried uploading the root certificate, but seem to still be getting the same issue. We're doing a
redirect to the authorization url from our server to circumvent XHR issues on our ajax calls.

The error is being thrown when instantiating a new connection with the Faraday gem to initially
talk to twitter before we grab the request token. Here is the code section that's causing the issue:

def self.oauth_establish_twitter_connection => '') do |conn|
conn.request :url_encoded
conn.adapter :net_http

Any help would be appreciated. This seems to only occur on staging but is not an issue on development.

2 years 37 weeks ago
@donnykurnia Donny Kurnia


Today I finally found a solution. It turn out that omniauth gem read the /etc/ssl/certs/ca-certificates.crt while I have download the latest certificate from as /etc/ssl/certs/ca-bundle.crt.

So, I just backup the original /etc/ssl/certs/ca-certificates.crt then
cp /etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt

Suddenly, twitter oauth working again in production server.

Hope this help other that have similar problems.

See also:

2 years 37 weeks ago
@jesusCristo6 jesusmelcky

preciso de revogar meu sertificado

2 years 32 weeks ago
@faye0412 faye PKIX path building failed: unable to find valid certification path to requested target

how to resolve this problem? thanks all...

2 years 26 weeks ago
@faye0412 faye


2 years 26 weeks ago
@abelard2008 pengcz

can you tell me how to fix it? thks in advance!

2 years 23 weeks ago
@marcjacobsdev Marc Jacobs Developm

Hi Fay20412,

I am getting same error in my code during oAuth, can you please provide me steps how to solve the issue, also if possible plz let me know how to add certificates in my application


17 weeks 4 days ago
@joexpert1 Joel Thompson

how do you install the "Root CA Certificate" on windows? Faye0412, how did you fix this?

2 years 26 weeks ago
@ismailsunni Ismail Sunni

have you solved the problem? i'm developing in python 2.7, in windows 7, using tweepy 1.8. I dont understand where I have to put the certificate...

2 years 9 weeks ago
@abelard2008 pengcz

hi, all
for testing streaming API (with SSL Root CA Certificate) in java, Fedora 12,
first, I saved the following contents between BEGIN and END in into ca-certificates.crt

Verisign Class 3 Public Primary Certification Authority - G2


second, I ran the following command:
[abelard@dillon twitterApp]$ keytool -import -alias twitterApp -file ./ca-certificates.crt
I found the file .keystore was created in the directory ~/, and then I copied the file .keystore to the directory:

third, I executed a latest Twitter4j(2.2.5) example(ex. firehose), but I got the classic error as follows:
[Tue Nov 08 18:28:37 CET 2011] PKIX path building failed: unable to find valid certification path to requested target PKIX path building failed: unable to find valid certification path to requested targetRelevant discussions can be on the Internet at:

What should I do? please tell me ,thanks a lot

2 years 23 weeks ago
@ColdTrain_Fools ColdTrain Marciano

I am sill seeing the security error on my computer, what do i do?

2 years 17 weeks ago
@wundercounter Olaf Alders

If you're seeing this issue with the Perl Net::Twitter module, you may be using an outdated version of the Mozilla::CA module. In my case, updating Mozilla::CA cleared up the problem.

  1. cpanm Mozilla::CA
2 years 10 weeks ago
@netik John Adams

Please note that in the upcoming days this will change again, to the G3 root. Make sure your clients and libraries trust the Verisign G2 and G3 roots. Most do.

1 year 51 weeks ago
@David_Horowitz David C. Horowitz

How do you use this with .NET.......

18 weeks 1 day ago
@beingBadtameezz Being Badtameez

I am facing an issue in generating PEM encoded certificates. for twitter api SSL support.
I have used Adam Langley's "extract-nss-root-certs" for generating PEM encoded certificates and also installed "Go" language on my system, but when I am executing "convert_mozilla_certdata.go" for generating PEM certificate, an error gets generated.

[Error - Failed to parse certificate starting on line 25167: x509: negative serial number]

Please refer to the generated Error Log below:

$ go run convert_mozilla_certdata.go >
2014/01/22 12:20:22 Failed to parse certificate starting on line 25167: x509: negative serial number

Please let me know the solution for the same.


12 weeks 3 days ago
@mzapatahe Mauricio Zapata

hello i try to post automatic in python but i cant, i dont know what
the error is

aise TweepError(error_msg, resp)
tweepy.error.TweepError: [{'message': 'SSL is required', 'code': 92}]

i dont know how i can fix it

3 weeks 6 days ago