skip to content

IT Help and Support

University Information Services
 
  • UIS is replacing the TLS certificates on Lookup on Tuesday 30 November 2021, before its current certificates expires the day after.
     
  • If you use PHP or Python client libraries to interface with the Lookup API, you’ll need to upgrade to the latest version to maintain access.
     
  • If you use LDAP to connect to Lookup, you’ll need to make sure that your LDAP client can use the operating system’s built-in list of trusted certificate roots.

 

What is happening

We’re replacing the TLS certificates that secure the Lookup website, LDAP service and API on Tuesday 30 November 2021, when the current certificates expire. The new certificate will be from a different supplier because we recently launched a new Jisc-based digital certificate service.

We’ve updated the PHP and Python libraries for interfacing with the Lookup API to version 1.3.0 to accommodate the certificate change. The libraries now use the operating system’s built-in list of trusted certificate suppliers.

 

Who will be affected and actions required

Users of the Lookup PHP and Python libraries will need to upgrade to version 1.3.0 before Tuesday 30 November to ensure the libraries maintain a connection to the Lookup API. The latest version of the API client libraries is available from the University Developers’ Hub. Alternatively, the Python library is available on PyPI.

If you use the LDAP service to connect to Lookup, make sure that your LDAP client can use the operating system’s built-in list of trusted certificate roots. Unfortunately, we’re unable to determine this remotely on your behalf, so you’ll need to check your configuration. You should do this before Tuesday 30 November to ensure your LDAP client will maintain its connection to Lookup after the certificate update.

Users of the Java client library are not affected. Web browser access to Lookup will also be unaffected.

 

Further information

 

Information for advanced users

On the use of OS-provided certificate trust roots

Certain advanced users may already be providing a fixed Certificate Authority (CA) trust root for Lookup. This is sometimes called "certificate-pinning". We do not recommend this approach. Where possible, you should use the OS-provided certificate root store.

We’re unable to commit to keeping the root CA for Lookup constant. We’ll provide as much notice on changes as possible, but may need to change the trust root certificate rapidly in response to exceptional events, such as a compromise of the CA or of the Lookup service itself.

See https://unix.stackexchange.com/a/487546 for an example of how the current root CA certificates for Lookup may be extracted. The appropriate address to use with openssl s_client is ldap.lookup.cam.ac.uk:646.

 

Contact

If you have any queries, please contact devops@uis.cam.ac.uk.

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

Latest news

Moodle offline for upgrade during 06:00–12:00 on Tuesday 11 January

1 December 2021

Moodle, the University’s virtual learning environment, will be unavailable from 06:00 to 12:00 on Tuesday 11 January while we upgrade it to version 3.9. The upgrade will introduce several improvements and new features, including: improved forum interface with in-page replies and private reply option CRSids will be visible...

Delays in issuing University Cards and responding to queries

30 November 2021

There are likely to be severe delays in issuing University Cards and responding to queries for the next few weeks due to unexpected staff absences. We apologise for any inconvenience caused.

Update: University Wireless Service maintenance on 7 and 20 December

26 November 2021

The University Wireless Service will be undergoing maintenance between 07:30 and 08.00 on Tuesday 7 December and between 07:00 and 09:00 on Monday 20 December. These replace our previously announced times and dates, which we’ve amended to accommodate College work schedules. During these periods, users will experience...

View updated live online training programme