TLS Certificate Validity
Incident Report for SmartyStreets
Resolved
This incident has been resolved.
Posted May 30, 2020 - 20:48 UTC
Monitoring
A fix has been implemented and we are monitoring the results.
Posted May 30, 2020 - 18:22 UTC
Identified
The TLS certificate we are using is based upon a cross-signed root certificate issued by Comodo. One of the trust pathways expired at around 7:00AM Eastern Time today. The expired trust pathway has been mitigated in modern and updated software systems including web browsers and operating systems. A handful of clients using older (often unmaintained or unsupported) operating systems and versions including RedHat Linux 4.x or old versions of libcurl and OpenSSL) have been experiencing connectivity issues because updates to root certificates were not available on these older systems.

As a mitigating effort, we identified a third possible trust pathway that many of these older clients might be able to utilize with our cross-signed certificate and we added the appropriate intermediate certificates in the chain in order to allow that alternate pathway to be utilized so long as the additional certificate authority (AAA Certificate Services, expiration 2028) is trusted by the system.

For clients that continue to experience ongoing TLS connectivity issues, the only other possible alternative at this point is to manually add the newer version of the AddTrust Certificate Authority to your system "trust store" location: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

For additional information on the certificate chain, please utilize the SSL Labs report found here:
https://www.ssllabs.com/ssltest/analyze.html?d=api.smartystreets.com&hideResults=on
Posted May 30, 2020 - 18:19 UTC
Update
A preliminary analysis appears to show that this is affecting systems which are using an older "root certificate". We are researching the best way to help users mitigate the issue.

There appear to be other reports about this on other services as well:
https://security.stackexchange.com/questions/232445/https-connection-to-specific-sites-fail-with-curl-on-macos/232448#comment475027_232446
Posted May 30, 2020 - 16:40 UTC
Investigating
We are investigating reports of users receiving TLS certificate validity errors.
Posted May 30, 2020 - 16:35 UTC
This incident affected: US Autocomplete API, US Autocomplete Pro API, US ZIP Code API (us-east, us-central, us-west), US Extract API (us-east, us-central, us-west), International Street API (us-east, us-central, us-west), and US Street Address API (us-east, us-central, us-west).