Tuesday, November 13, 2012

Upcoming HTTPS Certificate Change


If you’re a developer who uses the YouTube API, and if you make your requests to the API using HTTPS, there’s an upcoming change that you should be aware of. Sometime in early 2013, Google will be changing the certificates used for establishing secure HTTPS connections to all of our servers, in what we anticipate will be a backwards-compatible manner. Still, since there are so many slight differences in HTTPS client implementations, we encourage you to test your existing code in advance of this change and to report any issues that you do encounter.

To confirm compatability today in advance of the production change, you can make test API requests to stage.gdata.youtube.com and uploads.stage.gdata.youtube.com using version 1, 2, or 2.1 of the Data API, as described in this blog post about our staging environment. The new certificates are already in place on those servers. Be sure that you’re using https:// as the protocol.

 Update (May 1, 2013): stage.gdata.youtube.com and uploads.stage.gdata.youtube.com have gone back to having the same certificate setup as the production GData API servers.

If you’re using HTTP instead of HTTPS to access the YouTube Data API then you also won’t be affected by the new security certificates—but you really should start using HTTPS!

Developers who still rely on ClientLogin for handling authorization (which we also don’t recommend) have one additional thing to test, even if your actual YouTube API requests don’t use HTTPS: ClientLogin requests are made https://www.google.com/accounts/ClientLogin. Because we do not have a staging domain name set up for www.google.com, the recommended way of testing ClientLogin in advance of the certificate change is to hardcode the IP address 74.125.130.105 for the domain name www.google.com in the /etc/hosts file of your computer. Be sure to remove that entry when you’re done testing.

We don’t yet have a specific date in mind for making the switch in production, and when we do, it will be added as an update to this blog post. Please don’t wait until the last minute to test your code, though!
Update (March 2013): There is now a certificate test environment set up for developers who are using the YouTube Data API v3 or the YouTube Analytics API. Instead of using the normal www.googleapis.com hostname associated with those APIs, the test environment can be reached at cert-test.googleapis.com. Please do not use this environment for any production traffic, or expect it to have 100% uptime. Once the SSL migration is complete, it will be taken offline. 

 The exact mechanics of sending requests to the test environment vary depending on which language's client library you're using. For Java, you can make a call to setRootUrl("https://cert-test.googleapis.com/") on your YouTube.Builder object. For Python, you can set the optional discoveryServiceUrl property when constructing your client: apiclient.discovery.build("youtube", "v3", discoveryServiceUrl="https://cert-test.googleapis.com//discovery/v1/apis/youtube/v3/rest"). Similar approaches can be used for other languages.

Cheers,
Jeff Posnick, YouTube API Team

Posted by Jeffrey Posnick at 7:38 AM

Labels: