cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Change of Certification

Labels:

Change of Certification

tim-dev
Explorer | Level 3
‎01-27-2021 03:46 AM
Go to solution

Hi,

 

We are using Dropbox API to download firmware updates to our devices. I understand that there has been a recent change with the certification of your servers. This change causes our update process to fail as we are not using a different certificate.

 

We have been using DigiCert High Assurance EV Root CA to connect api.dropboxapi.com (162.125.69.19) and https://content.dropboxapi.com/ (162.125.69.14) which has been working just fine. Now we get an error "Used wrong CA to verify the peer." It seems like the certificate on the file server has been changed to DigiCert Global Root CA.

 

This means that we can not update our devices anymore. Can this change be reverted or at least can both certificates be accepted for connection to file server?

 

Best,

Labels:
  • 0 Likes
  • 16 Replies
  • 3,969 Views
0 Likes
1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
‎01-27-2021 05:22 PM
Go to solution

We've switched content.dropboxapi.com back to using DigiCert High Assurance EV Root CA. Please let us know if you're still seeing any issues.

 

@4mooreben Yes, that's correct, this switch should not be considered permanent. We recommend updating the trust store, to trust both roots if possible. I'll ask the team for some longer term guidance as to a timeline.

View solution in original post

0 Likes
16 Replies 16

Greg-DB
Dropbox Staff
‎01-27-2021 07:41 AM
Go to solution

Thanks for writing this up. The content.dropboxapi.com servers are now being served with a certificate using DigiCert Global Root CA. I'll ask the team to see if we can switch that back to DigiCert High Assurance EV Root CA (or support both), but I can't guarantee if/when that would be done. I'll follow up here with any updates on that.

 

Either way, we recommend updating your trust store to include DigiCert Global Root CA if possible.

0 Likes

4mooreben
New member | Level 2
‎01-27-2021 08:23 AM
Go to solution

Hi Greg,

This issue is impacting many embedded client devices which do not maintain a complete certificate trust store and use Dropbox for distributing firmware updates. Instead of a complete certificate trust store, the client devices must be loaded with select certificates that are needed for verifying certificate chains when establishing secure connections to a server.

 

Since Dropbox is the only server that is being used for distributing updates in some cases, these devices can't be updated to use the new root CA without first switching the servers back to the old root CA.

 

We need to start a discussion with Dropbox on how we can resolve this issue for our mutual customers. I think this would be best handled off the forum. Please see my email below to contact me directly.


Best Regards,

Ben M

<email address redacted>

0 Likes

Greg-DB
Dropbox Staff
‎01-27-2021 08:27 AM
Go to solution

@4mooreben Thanks for the additional information! This has been raised with team internally. I'll follow up here once I have any news on this from them.

 

I've redacted your email address for the sake of privacy, but for reference, you can always open an API ticket privately here if you need.

0 Likes

4mooreben
New member | Level 2
‎01-27-2021 08:29 AM
Go to solution

Perfect. Thank you!

-Ben M

0 Likes

Greg-DB
Dropbox Staff
‎01-27-2021 09:58 AM
Go to solution

We are working on switching this back now. I'll follow up here once that's done.

0 Likes

4mooreben
New member | Level 2
‎01-27-2021 11:12 AM
Go to solution

Thanks, Greg. I'll continue to monitor for updates.

I assume this wouldn't be a permanent change on your side. I think it would be good to review the timeline around how long you can keep it switched back for. We will start communicating to our customers asap to make sure they are aware.

 

Best,

Ben M

0 Likes

Greg-DB
Dropbox Staff
‎01-27-2021 05:22 PM
Go to solution

We've switched content.dropboxapi.com back to using DigiCert High Assurance EV Root CA. Please let us know if you're still seeing any issues.

 

@4mooreben Yes, that's correct, this switch should not be considered permanent. We recommend updating the trust store, to trust both roots if possible. I'll ask the team for some longer term guidance as to a timeline.

0 Likes

tim-dev
Explorer | Level 3
‎01-27-2021 10:23 PM
Go to solution

Thank you very much for your fast response. The update procedure works now. It is important for us to know how long this change will be effective, in order to communicate with our customers for a firmware update. Please let us know as soon as you hear back from the team.

0 Likes

charlesfish
Explorer | Level 3
‎01-29-2021 08:42 AM
Go to solution

I also am interested in how long this change will persist for. We have some boards that use OTA that we plan on using for testing during the next few weeks. They are supposed to go out Monday, but if we have to deal with changing certificates during the next month or two, we will have to push back our release to implement a method to handle that.

 

Thanks in advance,

Charles

0 Likes
Need more support?