Settings
Configure SDK
Chargebee root and intermediate CA certificate updates
Upgrade and Testing Workflow
This document helps you verify, upgrade, and test your integration for compatibility with Chargebee’s upcoming certificate and cipher changes.
Use these steps to test compatibility, upgrade, and validate your integration:
- Test Compatibility With Upcoming Certificates
- Check Your Current SDK Version
- Post-Upgrade Validation
1. Test Compatibility With Upcoming Certificates
Make a simple API call to a public Chargebee endpoint to check compatibility.
Use one of the following:
- Product Catalog 2.0: List Customers API – cURL example
- Product Catalog 1.0: List Customers API – cURL example
Use the site below for testing:
{site} : ssl-validation-test
Certificate error examples (not compatible)
certificate verify failed (self signed certificate in certificate chain)[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chainSSL certificate problem: self-signed certificate in certificate chain
Expected response (compatible)
Error: Sorry, authentication failed. The basic authentication header has invalid format.HTTP Status Code: 401
Your integration is compatible with the updated certificate chain if you receive the above response without SSL/certificate errors. No further action is required; you may skip the rest of this document.
If you see certificate errors
Proceed to upgrade your SDK or trust store using the steps below.
2. Check Your Current SDK Version
We provide an updated minor version with full backward compatibility for SDKs that embed the CA bundle (Python, PHP v3, Ruby).
Example: If you’re on Ruby SDKv2.59.0, upgrade tov2.60.0.
Use the table below to identify your SDK, verify its current version, and determine the G2-supported version that includes the updated cacert.
Information:
- If you use an SDK other than Python/PHP/Ruby, we don’t embed
cacertin the SDK. See the next section. - Python v2 and PHP v3 are deprecated. They will continue receiving updates until December 31, 2025, after which they will no longer be supported.
- Starting with PHP v4, embedded CA certificates were removed.
| SDK | EOS Versions | Current Version | G2-supported Version | Embedded cacert |
|---|---|---|---|---|
| Python v3 | < v2.0.0 | v3.9.0 | ≥ v3.10.0 | Yes |
| Python v2 | < v2.0.0 | v2.55.0 | ≥ v2.56.0 | Yes |
| PHP v3 | < v3.0.0 | v3.46.0 | ≥ v3.47.0 | Yes |
| Ruby | < v2.0.0 | v2.59.0 | ≥ v2.60.0 | Yes |
We strongly recommend upgrading to the latest supported SDK version. Continuing to use End-of-Support (EOS) versions may expose you to security vulnerabilities.
If you can’t upgrade immediately, you can manually replace the cacert in your installed SDK, using the paths below:
| SDK | cacert path | New cacert |
|---|---|---|
| Python (EOS versions) | chargebee/ssl/ca-certs.crt |
ca-certs.crt |
| PHP (EOS versions) | lib/ssl/ca-certs.crt |
ca-certs.crt |
| Ruby (EOS versions) | lib/ssl/ca-certs.crt |
ca-certs.crt |
Other SDKs and integration patterns
- If your integration uses a different SDK or manages its own keystore/trust store, manually import the DigiCert G2 root and all required intermediate certificates. You can also reference the bundled list here: ca-certs.crt.
- Steps vary by platform. Refer to your stack’s documentation to identify and update the trust store in use.
3. Post-Upgrade Validation
After updating your SDK or trust store, repeat the Test Compatibility step.
Expected result (handshake OK):
Error: Sorry, authentication failed. The basic authentication header has invalid format.HTTP Status Code: 401
This confirms your integration is compatible with the new certificate chain.
We recommend regression testing your key flows before promoting to higher environments.
Timelines
After you update cacert and validate your integration, you may deploy to production at your convenience.
Starting November 1, 2025, Chargebee will briefly switch certificates on our load balancers every weekend (Saturdays and Sundays) for 5 minutes to help you validate and detect issues.
| Region | Dates | Days | Testing Time (UTC) |
|---|---|---|---|
| AU | November 1, 2025 – January 31, 2026 | Saturdays & Sundays | 01:00–01:05 |
| EU | November 1, 2025 – January 31, 2026 | Saturdays & Sundays | 01:20–01:25 |
| US | November 1, 2025 – January 31, 2026 | Saturdays & Sundays | 01:40–01:45 |
The new certificates will be applied permanently beginning February 2026. Any unresolved compatibility issues after this date may cause API call failures or connection disruptions.
Please complete all required updates well in advance to avoid service interruptions.