Nationwide certificates inconsistency

Description

We're sometimes getting the wrong certificate for requests to the endpoint https://api.nationwide.co.uk.

The incorrect certificate appears to be the same one used for https://www.nationwide.co.uk (not signed by Open Banking (just a public CA), serial number of 06:c7:75:ee:22:e4:6e:28:35:ab:1e:06:73:d6:5e:96, no SAN for api.nationwide.co.uk).

Sometimes we get the correct Open Banking certificate, signed by Open Banking with a serial number of 1509903885.

Once we get the incorrect certificate, this seems to stick for a while at least, possibly based on IP address.

We've tried this using our development client certificates, and using the exact same command line, initially got the correct certificate, then only the wrong one:

We first see certificate related errors at around 05:40 on Sunday November 17th (yesterday as of writing).

An example request around this time would be:
https://api.nationwide.co.uk/open-banking/oauth/token
correlationId: d195a143-58ab-40bd-a2a2-0ce23cc7ef89

Technical Impact

Invalid certificate returned for api.nationwide.co.uk, unable to call endpoint.

Workaround

None

Resolution Notes

None

Impact Assessment

Customers cannot authorise or refresh connections, so are seeing stale account data, and cannot add new connections.

Status

Assignee

Unassigned

Reporter

Service Desk

Reference

None

Service Desk Reference

OBSD-12231

ASPSP

Query Type

None

Created (Original)

Nov 18, 2019, 11:49 AM

TPP Impact

None

TPP

Issue Summary

None

OB Environment

None

Business Impact Severity

Level 1

Share

Yes
Configure