What is the exact nature of the change?

Starting July 30th, 2021, the TLS certificates served by Greenhouse API endpoints will drop the DST Root CA X3 from their chain of trust. Refer to this Let’s Encrypt article for additional details. Specifically, the new certificates will be using the “alternative chain” provided by Let’s Encrypt.

Why is this change being made?

We are making this change to preserve compatibility with the greatest number of clients. The current, default chain will stop working with clients using OpenSSL versions older than 1.1.0 once the DST Root CA X3 certificate expires.

Which endpoints are affected?

The following endpoints will be affected:

  • api.greenhouse.io
  • api.eu.greenhouse.io
  • api.us.greenhouse.io
  • harvest.greenhouse.io
  • harvest.eu.greenhouse.io
  • harvest.us.greenhouse.io
  • boards-api.greenhouse.io

Will my client be compatible with the new certificates?

The following platforms trust the new certificate, ISRG Root X1:

  • Windows >= XP SP3 (assuming Automatic Root Certificate Update isn’t manually deactivated)
  • macOS >= 10.12.1
  • iOS >= 10 (iOS 9 does not include it)
  • iPhone 5 and above can upgrade to iOS 10 and can thus trust ISRG Root X1
  • Android >= 7.1.1 (but Android >= 2.3.6 will work by default due to our special cross-sign)
  • Mozilla Firefox >= 50.0
  • Ubuntu >= xenial / 16.04 (with updates applied)
  • Debian >= jessie / 8 (with updates applied)
  • Java 8 >= 8u141
  • Java 7 >= 7u151
  • NSS >= 3.26

How can I be sure that my client is compatible?

Make a request to https://certificatetest.greenhouse.io. Incompatible clients will receive a certificate validation error.

My client is not compatible, how can I fix this?

Apply the latest software updates to your platform. Alternatively, add the ISRG Root X1 certificate to your trust store. The specifics vary by platform.