Connect HTTPS-only

Customers who use the DocuSign Connect feature must use the HTTPS protocol when receiving notifications from DocuSign.

The upgrade must be completed by May 1, 2018 or your custom Connect application will no longer work.

This page tells you what you need to do to make sure that your Connect applications continue to work correctly after May 1, 2018.

Who is affected?

This process applies only if you use Connect in your application, and one of the following is true:

  • You use the HTTP protocol in the URL in your Connect subscription (configuration).
  • You use envelope-specific Connect notifications, via the Envelopes::create eventObject parameter, and you use the HTTP protocol.

Step 1. Update your server to accept HTTPS requests

Each of your servers that receive notification messages from DocuSign Connect must use HTTPS.

Acceptable SSL/TLS certificates

DocuSign requires that your server’s SSL/TLS certificate meet the following requirements:

Your certificate does not need to provide Extended Validation.

Adding SSL/TLS to your server

This process is server- and software-specific. Consult the documentation for your web server software for details on enabling HTTPS. Your IT department may also be able to help.

Testing your server

If your server includes a web page available through a GET operation, then simply use a web browser to open the page on your server. Check that the SSL/TLS indicator in your browser is green and has no cautions or warnings.

Step 2. Update your Connect custom configurations to use an HTTPS URL

  1. Log into DocuSign with Administrator privileges. Use the Goto Admin link near your picture to open the Admin Tool.
  2. In the Admin Tool, click Connect in the Integrations section of the navigation column.
  3. The Admin tool will display a list of your account’s Connect configurations. In the screenshot below, the Basic Auth listener and OK listener configurations are custom configurations that may need to be updated. Connect configurations
  4. For each configuration, click Edit in the Action menu, or double-click its row to open it for editing.
  5. Check the URL to Publish fields in each configuration, and edit it to start with HTTPS instead of HTTP.

Step 3. Update API applications that use envelope-specific Connect

Signature API programs (SOAP or REST) can create and send envelopes. An optional parameter, eventNotification, can be used to create an envelope-specific Connect subscription for just that envelope.

If your applications use the eventNotification parameter, you must make sure that it uses an HTTPS URL. Updating your application is application-dependent. It is common for URLs to be stored in a configuration file for the application.

If you’re not sure whether your application creates envelope-level Connect subscriptions, you can test your application: Using the System Updates panel (see below), you can temporarily require HTTPS for all Connect applications in your account.

If your application continues to work properly, you do not need to make changes. If you see error messages in the Connect Failures page, you will need to update the URL to use HTTPS.

Step 4. Activating and testing HTTPS-only for your account

This is the final step for updating your application to use only HTTPS.

This step can also be used as a test: update your account to HTTPS-only mode, and then check that all of your applications continue to work properly with no error messages on the Connect Failure page.

If either your account-level or envelope-specific Connect subscriptions use an HTTP URL, you will see a failure message in the Connect Failures log.

Error notifications from the Admin Tool

You will get an error message if you try to enter an HTTP URL in a Connect configuration (subscription) through the Admin Tool.

Error notifications from API methods

If you call Envelopes::create with eventNotification with an HTTP URL, the method call will succeed. However, when Connect attempts to send the notification message, it will fail, and an error message will be posted to the Connect Failure log.

Calling ConnectConfigurations::create with an HTTP URL returns an error.

Activating HTTPS-only for your account

  1. If you logged out of the Admin tool, log into DocuSign with Administrator privileges. Use the Goto Admin link near your picture to open the Admin Tool.
  2. Click System Updates in the Account section of the navigation column. System Updates panel

  3. Activate HTTPS-only mode by using the Actions menu in the row that says Only HTTPS.
    You can deactivate HTTPS-only mode until the Auto-Activation date for your account. After that date, HTTPS-only mode will be activated automatically.

Frequently Asked Questions

Q. Why is DocuSign requiring HTTPS for Connect servers?

A. DocuSign Connect is used to transmit sensitive data about your envelopes across the Internet. As part of DocuSign’s focus on security, we are upgrading all notifications to use HTTPS only.

Q. My account’s System Update panel shows that HTTPS only is already active, and I can’t deactivate it. Why?

A. Many accounts which were not using HTTP Connect URLs in the past have already been upgraded to HTTPS only mode.

Q. I’m not sure that I will be able to update my organization’s servers to HTTPS by May 1. How solid is that deadline?

A. Very solid. Upgrading servers to support HTTPS is a well-understood process. DocuSign is focused on having all of its Connect customers upgraded by May 1, 2018. DocuSign first announced its plan to update all Connect notifications to HTTPS on March 3rd, 2017.

Q. Why can’t I use a self-signed certificate? Commercial certificates are expensive.

A. DocuSign verifies the trust path of Connect server certificates. This process will only complete if your server’s certificate chains to a CA in the Microsoft list of trusted CAs.

You can get a free certificate from the Let’s Encrypt project. Low-cost commercial certificates are available for $10 per year.

Q. I have more questions, whom can I ask?

A. Contact DocuSign customer support if you have more questions.