If you suddenly started seeing certificate errors in your application when trying to connect to our REST API, you may need to update the CA certificates in your local trust store.
Example error messages:
- Unable to get local issuer certificate
- Unable to find valid certification path to requested target
- Self signed certificate in certificate chain
- SSL Peer Certificate Untrusted
Cause
On August 20, 2018 at 9:45 AM Pacific, we updated our REST API's root certificate from Thawte Primary Root CA to DigiCert Global Root CA (this change was announced in June). If the errors you're seeing started on or after August 20, your system does not have our new root certificate installed in its local trust store. This can happen if you have pinned our old certificate, or if your local certificate bundle is out of date.
Note: This issue only applies to requests from your HTTP client to our REST API, not TwiML requests or status callbacks to your server.
Solution
To resolve these errors, simply download and install our updated root certificate. We strongly recommend you install a complete bundle of industry-trusted CA certificates to ensure your application continues operating smoothly whenever certificates change.
Automated Installation
Most operating systems can be updated automatically by running a command to download and install the latest industry-trusted CA certificates. Check your system’s documentation for instructions (e.g. Ubuntu's sudo update-ca-certificates
).
Note: Upgrading the Twilio helper library will not resolve this issue, as the library depends on the root certificates installed in your operating system's local trust store.
Manual Installation
If your system requires manual installation of certificates, you can download the latest Mozilla-provided CA certificate bundle in PEM format from curl's website, which already includes our new root certificate.
The specific certificate required from the bundle is DigiCert Global Root CA, which is directly available for download in CRT format from DigiCert.
Be sure to consult your operating system and HTTP client documentation to ensure you install the certificate in the correct location for your trust store and verify your code is referencing that location (example for PHP on Windows).
Caution: We strongly discourage pinning certificates, which can lead to this same issue when changes are made in the future. Please install a complete bundle of trusted CA certificates to ensure continuity of service when certificates are updated.
Additional Information
- Requirements for Connecting to the Twilio REST API and Troubleshooting Common Issues
- Resources for Diagnosing Connection Issues to the Twilio REST API
- Monitoring Updates to Twilio REST API Security Settings
If you need assistance beyond these resources, please contact our Support Team.