When announcing tasks or trying to connect to Urbantz you might receive an error message related to a certificate problem.
This article lines out what the reason for this message is and what you can do to correct these errors.
- How does the certificate system work?
- Issue of the 30/09
1. How does the certificate system work?
Whenever two computer programs attempt to communicate securely over (HTTPS / TLS / SSL), they do so by first negotiating a secret key to encrypt the communication. This happens by first exchanging a set of certificates. This is called PKI and you can read more here Public key infrastructure - Wikipedia
It works as a chain of certificates and all certificates have an expiration date.
At Urbantz, we request a Leaf Certificate and the public part of that certificate is sent along with the response to all HTTPS requests towards Urbantz (both requests that come from the browser for the web application and API requests).
Then, the client application (web browser or IT system) verifies our certificate by verifying the chain.
All the client system needs is a collection of up-to-date Root CA Certificates to be able to verify the public part of our Leaf Certificate that we send for each request. It's usually the operating system that regularly updates this list of Root CA Certificates.
2. Issue of 30/09/2021
On 30/09 a long time planned change has been done on Let's Encrypt side. As a result older devices and services that don’t trust a certain certificate get certificate warnings when visiting websites that use Let’s Encrypt certificates or when interacting with systems using Let’s Encrypt certificates.
For most users and systems this change was transparent.
Please refer to for more detailed information: DST Root CA X3 Expiration (September 2021) - Let's Encrypt
Now that we established the way we work with certificates we can look into what you can do if you encounter issues.
Actions are to be taken on your side as the responsibility of the maintenance of your systems is independent of Urbantz.
As a workaround and short-term solution: Manually trust our certificate. This will fix the issue for 30 days until certificates are automatically renewed again.
We highly recommend implementing the long term solution laid out below as soon as possible.
As a long term solution, you need to update your Operating System and your certificate authority database.
For Debian/Ubuntu machines update the package Debian -- Details of package ca-certificates in sid
For Windows machines update windows to the latest version available and enable "Automatic root certificates update"
If after trying out the solution suggested you require help from our side, please contact us at firstname.lastname@example.org providing the below information:
What library version are you using to call us (Curl, okhttp, nodejs, etc...)
CA (Certificate Authorities) database version
- Underlying OS (Operating System)
In general, try to avoid using EOL Operating systems and keep up with security updates from the software vendors. You can see a list of supported devices/Operating Systems here, under the title "Platforms that trust ISRG Root X1".