Certificate renewal for shotgunstudio.com

On August 16th , we will renew the SSL certificates for *.shotgunstudio.com. This change will be effective for all users, globally.

The standards around HTTPS encryptions are evolving and certificate rotations can break older toolkit versions, including DCC integrations. Please validate that you are using supported versions of the Shotgun API, Shotgun Desktop and Toolkit integrations.

What will happen if I don’t update?

Requests made though old versions of our tools/APIs may start failing. A handful of users may also see SSL Validation or SSL Handshakes errors when trying to communicate with ShotGrid sites.

What do I need to update?

Make sure you are running a version of our tools/APIs that is recent enough to be supported. There are approximately one hundred unique users identified who are running versions of tools old enough to be at risk of facing a problem (less than 0.02% of our user base). Tools/integrations older than 3 years have not been supported by Autodesk. More specifically, users must meet the following requirements:

  • Minimal version of the Python API: 3.0.37
  • Minimal version for SG Desktop: 1.5.3
  • Desktop integration in supported Engine version

Resources

Supported versions of DCCs for Toolkit Integrations Apps and Engines.

4 Likes

Hey folks!

Is there a minimum core requirement for the cert renewal? I’d guess that any currently-functional core is fine, since everything that used <v3.0.37 of the API was deprecated back during the S3 update, but I just wanted to double-check since that’s been a repeated tripping point in the past.

Thanks so much in advance!

1 Like

Yes, that’s right. The oldest supported version for tk-core is 0.18.149, which upgraded the Python API to v3.0.37, our oldest supported Python API version.

2 Likes

We’ve often had issues with this in our own scripts despite using an up to date copy of the API and end up having to manually install the certificates.
Can we get a link to where we can find the new certificate file for if it needs manual installing again?

3 Likes

Hi Gary,

Long time no see! :grinning_face_with_smiling_eyes:

A while back we reviewed how certificates were being used with the Python API and we are now bundling certifi with it. This should solve the out of date certificate problems for good, as long as you update every year or so. So if you’ve update the Python API in the last 8 months to the latest you should be good. The first release of the API that had a bundled copy of certifi was v3.2.6

If you’re also using Toolkit (which includes a copy of shotgun_api3), you can update tk-core to v0.19.18 or more recent.

If for some reason you still get a CERTIFICATE_VERIFY_FAILED error (and at that point, I would assume it’s because we screwed up and didn’t update certifi for a while), you can pull down the latest cacert.pem from the certifi repository and set SHOTGUN_API_CACERTS=/path/to/the/cacert.pem.

I hope this clarifies everything,

JF

4 Likes

Hello all,

Is there a way to test in advance if my config will work after the 16.8?.

We have to use the SHOTGUN_API_CACERTS way because of an old tk-core version (v0.18.172). And I don’t what update the tk-core version on this config. I like to test it in advance because we had some issues on the last amazon cert update.

Jonas

1 Like

Hi Jonas, there is no easy way to validate this in advance. Every new certificate updates has a change of breaking integration with non-supported/deprecated integrations and Toolkit versions. The only bullet-proof solution is to use supported versions.

The closest would be to create a trial site and to try your setup on that trial site, but that would require some work on your side.

I’m a little confused still @Guillaume you said that v3.0.37 is the lowest version that should be supported. Whereas @jfboismenu you’ve said that v3.2.6 is the earliest one that contains the certs.

Which one do we need to make sure we’re using everywhere?

Also if you have one hundred unique users identified could you please contact them to let them know that they’re not using the correct versions. That way we can be sure we need to change somethings.

Cheers

Hi @jaredauty ,
What we mean is that you are free to use API 3.0.27 if you want, as we support it. However, that version API might have issues with certain OSes and versions of Python, in which case you would need to set SHOTGUN_API_CACERTS. If you upgrade your Python API to 3.2.6 however, you likely will not need to use SHOTGUN_API_CACERTS.
Cheers,
JF

Ah ok, that makes sense!
Thanks

Hey @jfboismenu

Just wondering whether the cert change has been done already or will be done later? I saw the maintenance update yesterday and was hoping that was an early move? I don’t see a difference in the cert on our shotgun site but maybe I’m looking in the wrong place.
Would be great to know exactly when this is happening so we know when we can breath a sigh of relief :slight_smile:

Cheers

Hi,
When you say “Minimum version of Python API: 3.0.37”, is this referring to the python API that is bundled and shipped with SG or our locally installed Python at the studio? Because our studio is still using Python 2.7, and we are far from converting to Py3, though in progress.
Our Shotgun Core is v0.19.18.
We faced the CERT error this morning and users can’t access SG.

Side note: This kind of important message should really be sent to Admins in an email with emphasis on the importance of the update, instead of an announcement on the forum. As much as I love the SG forum, we can’t keep up with the postings. Our company has come to halt since this morning.

We’re also having trouble with the update, specifically in our installation of Deadline. Even though by all appearances Deadline has a recent enough SG API, it’s failing all uploads. Setting up the SHOTGUN_API_CACERTS environment variable didn’t work, possibly because Python running within deadline is in a different context. This makes updating scripts, the API and environment variables tempermental.

I would love some more detailed instructions on how to tackle this and what it means. The official guides fall very short for our use case, because they seem to assume the default case will work.

The old fix that we eventually figured out was double clicking the .cer file and then manually installing to trusted root certificate authority. However the new .cem files don’t seem to work the same, and I don’t see any indication of how to manually put them in the certificate store (or if I can).

Hi @Shervinion,

3.0.37 is referring to the Python API version, not the Python version used by the studio. Core version v0.19.18 should be compatible, but ultimately it comes down to how Toolkit is configured at your studio. SSL validation happens deep it the system and the issue can be coming either from the version of Python that end up to be used, on the engine, etc. Please open a support ticket if you need further help.

Regarding the announcement, we are sorry you missed it. It was also announced with a banner to all admins in the Shotgun Web App on June 28th, pointing to this article.

Various of my clients are experiencing SSL related errors in SG Desktop since the certificate change. Mostly related to downloading a new Distributed config.

Is there any more technical information on troubleshooting this?
Is the ShotGrid Ecosystem document up to date?

Hi Ricardo,
Please make sure your clients are using the most recent for SG Desktop possible. Oldest version currently supported is 1.5.3. If your client are at supported version and still running into issues, please open a support ticket.

Hi Gary,

This isn’t necessarily the correct solution but it might get you unblocked until the problem is figured out.

Inside your Deadline Repository folder there is a ShotgunUtils.py file at [DeadlineRepo]/events/Shotgun. In this file there are two functions that are responsible for creating a SG connection: GetShotgunForEventPlugin and GetShotgunForUserLogin. The Shotgun constructor can take a path to the certificate file. You can update this file and see if it solves your problem for now.

sgObject = shotgun_api3.shotgun.Shotgun( ..., ca_certs=[path_to_cert_file])

I hope this gets you unblocked.

1 Like

Hi Guillaume,

Just wanted to chime in from a support stand point. I think what most folks are saying and requesting from SG is that you guys provide a simple tool [e.g. script that can be run] or you tell the users explicitly how to go about finding this information.

I think the problem lies in assuming everyone on this forum is a developer but the truth of the matter is probably more than half are winging it as best they can. So, for future reference and support for all, assume your end users know nothing. Hold their hand weather they need it or not. The pros will get it and hopefully the novices will too.

That said, thanks and please share this bit of advice to the rest of support. <3

1 Like

Thanks Dan… I very much agree with what you have said.
This should be something that any SG user is able to manage “fixing” easily on their own, without taking up too much time, so they can focus on their “job”. Even if someone does know how to implement the solutions that have been suggested in this community, it would be nice to have support even if not needed, as I find often this is how people learn new things.

Also agree very much – please share this info with support, so they can provide proper information and help to those who need it.

If anyone is experiencing ShotGrid Desktop troubles with SSL, distributed configs not downloading due to download errors, etc…

I suggest to completely nuke your SG Desktop Cache dir (leave nothing).
Update to the latest SG Desktop and then let it go through the complete Out of The Box Experience again.
Once it’s redownloaded all it’s configs, it seems to be perfectly able to download distributed configs once again…

(For the record, I upgraded to the latest SG Desktop before clearing and it wouldn’t budge…, something definitely went wrong in the pre-existing cache that was not compatible with new SSL Certs, or something… :woman_shrugging:)

3 Likes