Document API - Invalid Certificate

It appears that the https certificate for the Document API is invalid.

As a simple test, copy and paste this into your browser:
https://frontend-doc-api.company-information.service.gov.uk/document/1SYDuP-AW-VJHwzujYIItt1G_5bvhPqG9iGRE_-sRH4/content

I would be grateful if someone in the Companies House API maintenance / technical team could have a look.

Right - link produces

Your connection isn’t private

so very clearly needs sorting.

Frank Murphy

https://statbooks.co.uk/

As of now (2020-10-04 19:47) I find the same issue. This seems to be limited to the documents API. The rest of the API checked so far seems to work OK on either api.companieshouse.gov.uk or api.company-information.service.gov.uk

a) Documents API on new URI is using the old certificate so failing.
b) Both old and new APIs - filing-history list / filing-history item will return links which don’t seem to work either as given or “build-your own URI” per the documentation at eg. Fetch a document's metadata
c) The CH post about this change should mention both api.company-information.service.gov.uk and document-api.company-information.service.gov.uk to be clearer.

Detail
Using the old API (not document API endpoint) references server certificate:

subject: CN=companieshouse.gov.uk,OU=IT Infrastructure,O=Companies House,L=Cardiff,C=GB
start date: Mar 26 00:00:00 2020 GMT
expire date: Apr 17 12:00:00 2021 GMT
common name: companieshouse.gov.uk
issuer: CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US

The new API references server certificate:
subject: CN=*.company-information.service.gov.uk,OU=IT Infrastructure,O=Companies House,L=Cardiff,C=GB
start date: Feb 18 00:00:00 2020 GMT
expire date: Feb 17 12:00:00 2022 GMT
common name: *.company-information.service.gov.uk
issuer: CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US

All OK. However if you call e.g. the filing history endpoint, both old and new APIs return document metadata URIs of the new form:

https://frontend-doc-api.company-information.service.gov.uk/document/…

If you attempt to request this, you see the following certificate referenced (and the connection will fail):

subject: CN=companieshouse.gov.uk,OU=IT Infrastructure,O=Companies House,L=Cardiff,C=GB
start date: Mar 26 00:00:00 2020 GMT
expire date: Apr 17 12:00:00 2021 GMT
common name: companieshouse.gov.uk
issuer: CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US

…e.g the OLD certificate.

I see that the documentation for the Documents API here:

…now says you should use the form:

http://document-api.company-information.service.gov.uk/document/{id}

If you simply take the ID from the document link we received above (e.g. ignore the “frontend…” part) and call this using the new host as suggested by the documentation:

curl -v -uMY_API_KEY_HERE: "https://document-api.company-information.service.gov.uk/document/xJtrS2FVn-SjSKzIKugmOjHajrcg4--QL4ijPJFA_CQ"

… again the old certificate is referenced and this fails. (I checked and just using api.company-information.service.gov.uk/document/… fails as expected e.g. 404 not found).

Using the old API works fine:

curl -v -uMY_API_KEY_HERE: "https://document-api.companieshouse.gov.uk/document/xJtrS2FVn-SjSKzIKugmOjHajrcg4--QL4ijPJFA_CQ"

…the correct (old) certificate is used:
subject: CN=companieshouse.gov.uk,OU=IT Infrastructure,O=Companies House,L=Cardiff,C=GB
start date: Mar 26 00:00:00 2020 GMT
expire date: Apr 17 12:00:00 2021 GMT
common name: companieshouse.gov.uk
issuer: CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US

Checks run

curl -v -uMY_API_KEY_HERE: "https://api.company-information.service.gov.uk/company/SC294759/filing-history/MzA3MTM0MTMzNWFkaXF6a2N4"

curl -v -uMY_API_KEY_HERE: "https://api.company-information.service.gov.uk/company/SC294759/filing-history/MzA3MTM0MTMzNWFkaXF6a2N4"

…produce a record with the same document metadata link:

 ...
 "links" : {
    "document_metadata" : "https://frontend-doc-api.company-information.service.gov.uk/document/xJtrS2FVn-SjSKzIKugmOjHajrcg4--QL4ijPJFA_CQ",
    ...

Yes, we have a little bit more work to do to sort out the certificates and the document_api URL.
We hope to get all this done this week.
Thanks for your communications and patience.

Can you all confirm that the certificate is now correct.

Nope (unless we’re cacheing this somewhere… don’t think so) - at 2020-10-06 16:27

curl -v -uMY_API_KEY_HERE: "https://document-api.company-information.service.gov.uk/document/xJtrS2FVn-SjSKzIKugmOjHajrcg4--QL4ijPJFA_CQ"
* About to connect() to document-api.company-information.service.gov.uk port 443 (#0)
*   Trying 18.132.226.181...
* Connected to document-api.company-information.service.gov.uk (18.132.226.181) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=companieshouse.gov.uk,OU=IT Infrastructure,O=Companies House,L=Cardiff,C=GB
*       start date: Mar 26 00:00:00 2020 GMT
*       expire date: Apr 17 12:00:00 2021 GMT
*       common name: companieshouse.gov.uk
*       issuer: CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* Closing connection 0
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

Apologies - I sort of wrote too soon (just re-ran my old test link). (However the documented method doesn’t work.)

If you do it the following way, it does work:

curl -uMY_API_KEY:  "https://api.company-information.service.gov.uk/company/SC294759/filing-history/MzA3MTM0MTMzNWFkaXF6a2N4"

And find the appropriate link in the response:

... "links":{"document_metadata":"https://frontend-doc-api.company-information.service.gov.uk/document/xJtrS2FVn-SjSKzIKugmOjHajrcg4--QL4ijPJFA_CQ" ...

Use that link:

curl -v -uMY_API_KEY: "https://frontend-doc-api.company-information.service.gov.uk/document/xJtrS2FVn-SjSKzIKugmOjHajrcg4--QL4ijPJFA_CQ"
* About to connect() to frontend-doc-api.company-information.service.gov.uk port 443 (#0)
*   Trying 3.11.57.20...
* Connected to frontend-doc-api.company-information.service.gov.uk (3.11.57.20) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=*.company-information.service.gov.uk,OU=IT Infrastructure,O=Companies House,L=Cardiff,C=GB
*       start date: Feb 18 00:00:00 2020 GMT
*       expire date: Feb 17 12:00:00 2022 GMT
*       common name: *.company-information.service.gov.uk
*       issuer: CN=GeoTrust RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US
...

and this succeeds.

So the first method I tried, per CH documentation:

GET http://document-api.company-information.service.gov.uk/document/{id}

…either this needs fixing too, or that documentation needs to be updated (“don’t do it that way, just use whatever you get back from filing history request”)

Mark Just spotted your request

The response, using the URL that started this thread, moments ago was

This page isn’t working at the moment If the problem continues, contact the site owner.
HTTP ERROR 401

Please let me know in the morning if you want it checked out again.

Regards,

Hi Team,

Apologies in advance, if I am logging this in the wrong place, or a need to file a new issue or I’m missing something obvious. I am not a developer so a lot of this is new to me.

I am experiencing a similar issue to retrieve basic company information via a GET request from the “/company” endpoint.

I intermittently receive the following SSL error, relating to port 443.
Although, I haven’t made 600 requests within 5 minutes.

However, after some time (usually longer than 5 minutes) the request works again. I have tried the request with multiple API keys.

Request:

import requests
import pandas as pd
import numpy as np

r = requests.get(‘https://api.companieshouse.gov.uk/company/0229980’, auth=(‘xxxxxxxxx’, ‘’))
print(r.text)

Error:
SSLError: HTTPSConnectionPool(host=‘api.companieshouse.gov.uk’, port=443): Max retries exceeded with url: /company/02299809 (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,),))

Any help would be greatly appreciated.

Best Wishes,
Rishi