cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Change of Certification

Labels:

Change of Certification

tim-dev
Explorer | Level 3
‎01-27-2021 03:46 AM
Go to solution

Hi,

 

We are using Dropbox API to download firmware updates to our devices. I understand that there has been a recent change with the certification of your servers. This change causes our update process to fail as we are not using a different certificate.

 

We have been using DigiCert High Assurance EV Root CA to connect api.dropboxapi.com (162.125.69.19) and https://content.dropboxapi.com/ (162.125.69.14) which has been working just fine. Now we get an error "Used wrong CA to verify the peer." It seems like the certificate on the file server has been changed to DigiCert Global Root CA.

 

This means that we can not update our devices anymore. Can this change be reverted or at least can both certificates be accepted for connection to file server?

 

Best,

Labels:
  • 0 Likes
  • 16 Replies
  • 3,992 Views
0 Likes
16 Replies 16

Greg-DB
Dropbox Staff
‎01-29-2021 02:13 PM
Go to solution

I've confirmed with the team that this switch back to DigiCert High Assurance EV Root CA is not permanent. As our current certificates expire, we will be moving away from using EV certificates. Please update your trust store as mentioned, and do so by August. (The current certificate using DigiCert High Assurance EV Root CA for api.dropboxapi.com expires this coming September, so we'll be updating it by then.)

0 Likes

charlesfish
Explorer | Level 3
‎02-01-2021 09:01 AM
Go to solution

Is there a way for us to know when the certificates are about to switch? Like some sort of e-mail notifiaction or something we could sign up for that will warn us when this is going to happen, so we know to update to the new certificates in advance?

 

Thanks!!

Charles Fleck

0 Likes

4mooreben
New member | Level 2
‎02-01-2021 09:03 AM
Go to solution

Thank you for the update. We will work on getting the word out to our customers to prepare them for the change.

0 Likes

Greg-DB
Dropbox Staff
‎02-01-2021 09:28 AM
Go to solution

@charlesfish We don't currently have anything like that, but I'll bring this up with the team to see if we can formalize some sort of system/notification for this. I can't promise if or when that might be implemented though. Thanks for the note!

0 Likes

Greg-DB
Dropbox Staff
‎09-01-2021 01:41 PM
Go to solution

In order to provide more time for clients to update their trust stores, we will continue the use of DigiCert High Assurance EV Root CA until at least January 1st, 2022. We will soon replace the current certificate for api.dropboxapi.com, which expires soon, with another one also from DigiCert High Assurance EV Root CA. However starting starting January 1st, 2022, we may switch our CA at any time, so make sure to update your trust store to trust both DigiCert High Assurance EV Root CA and DigiCert Global Root CA by then.

0 Likes

BartVD
Explorer | Level 3
‎06-05-2023 02:25 PM
Go to solution

Dear Greg,

 

I believe a customer of ours is confronted with the described issue as well.

The concerned device only has the DigiCert High Assurance EV Root CA certificate to connect to ‘api.dropboxapi.com’ (162.125.65.19) for its OTA-updates.

The product is using an older version of the SimpleLink-cc32xx-sdk from TI (< v5.10). This version is not handling the update Dropbox rolled out in August 2021.

If different certificates are used for the Dropbox OTA (CDN) server and the Dropbox fileserver itself, the one that’s needing the ‘DigiCert Global Root CA’ will not work.

Apparently, this is only noticed very late. The update process isn’t triggered regularly or monitored that closely. A warning message from dropbox was not received or was overlooked.

 

The dropbox method is the only way to get the devices updated over the air. The number of devices is significant.

What options do we have to get all these devices updated?

Feel free to contact me at temporary.mail4dropbox@gmail.com

 

Thanks in advance,
Bart

0 Likes

Greg-DB
Dropbox Staff
‎06-06-2023 08:55 AM
Go to solution

@BartVD Thanks for your message. As you found, Dropbox changed the certificate for api.dropboxapi.com from DigiCert High Assurance EV Root CA and it is currently being served with a valid certificate using DigiCert Global Root CA. (You can find the details on the transition in my previous messages from 2021 in this thread.) So, any remaining devices without a more complete trust store, or without at least the two necessary for that transition, would have no longer been compatible once that was done.

 

Unfortunately this isn't user-configurable; in order to connect to api.dropboxapi.com now, clients would need to trust DigiCert Global Root CA to validate the certificate to establish the secure connection. I'm afraid I don't have any other options to offer if the client does not do so.

0 Likes
Need more support?