GoCardless API: Migration of API certificate authority
Hi Rich,
I'm not sure if this will have any implications on the extension overall?
Recently received the following email recently from GoCardless so thought sharing here might be a good start?
At GoCardless, we are always striving to maintain high-security standards to protect our partners, merchants and customers. As part of this commitment, we will be making a change to the certificates used on our public API endpoints. On 1st October 2022, we will change the certificate authority from DigiCert to Let’s Encrypt. According to our records of your organisation’s requests, you are using a client library version that is pinning an incorrect certificate, and therefore must be upgraded before 1st of October 2022 to continue working.
What action do I need to take? You will need to upgrade your PHP client library version (aka gocardless-pro-php) to version v4.14.0 or greater before the 1st October 2022.
If you are using OpenSSL as part of your integration then you will need to ensure that this is either at version 1.1.0 or later, or that the ‘DST Root CA X3’ certificate (which is now no longer valid) is not present in your certificate trust store, as detailed here. To validate that your API integration will still function correctly, especially after any changes, you can use our sandbox environment. The sandbox API (which you can find within your API using xxx) has been configured to serve the same type of Let’s Encrypt certificates as the main API will do. Whilst we advise against pinning in our API reference, we recently discovered that older versions of the client library included this functionality. We’d like to take this opportunity to apologise for any inconvenience caused, but thank you for your patience and understanding as we strive to deliver the best product possible. Please don’t hesitate to contact us at help@gocardless.com should you have any questions or require assistance with anything else.
Why are we making this change? Using a secure transport for HTTP connections to our API and services is a baseline control that protects customer information. Currently, we use a wildcard certificate that covers the API address, as well as other subdomains, that is manually renewed and updated. Migrating to the Let’s Encrypt (R3) certificate authority, which is quickly becoming an industry standard, allows us to continue to scale and provide reliable service by provisioning much shorter-lived certificates for targeted subdomains in an automated manner in line with best practices.