Custom Domain Certificate Errors

Knowledge Solutions
1

Problem statement

A custom domain that uses certificates that are managed by Auth0 is experiencing occasional certificate errors that appear to be related to LetsEncrypt.

It has been observed that the certificates contain the description “testexp” in many of the fields.

Why is this happening? Can we use the customer CA-provided certificate instead of Auth0’s LetsEncrypt implementation for handling the custom domain certificate?

Screenshot 2023-11-08 at 10.12.19.png

Symptoms

  • When the certificate is viewed, it displays “Common Name (CN): testexp”.
  • The website is not accessible.
  • The web browser displays an error, similar to: “Your connection to this site is not secure”, or "This connection is not private" ( the exact message will depend on your browser ).
  • The issue may be experienced intermittently.

Steps to reproduce

This issue is commonly triggered by network-related problems, so it is not possible to reproduce reliably.

Troubleshooting

If when attempting to access a website, access is blocked and the browser displays a message such as
Your connection to this site is not secure”, or "This connection is not private", the most likely causes are either:

  • The certificate has expired
  • Network-related problems are blocking access to the certificate

Expired certificate

In the case of a custom domain that has Auth0 managed certificates, these are sourced from Let’s Encrypt . While there may be occasional problems with this service, such incidents are quite rare. Normally, certificates should be automatically renewed on expiry.

Network related problems

A general web search for the phrase “Your connection to this site is not secure”, or "This connection is not private", shows that this is a generic issue that people often encounter.

Some recommended diagnostic steps are as follows:

  1. Does this happen on one machine on the local network or is it experienced when using on all machines on the network? Knowing this will help to narrow down the scope of the problem.

  2. If the problem is experienced on just one machine, does it have any HTTPS inspection software or anti-virus installed? Try to briefly disable these, does that solve the problem?

  3. Try to connect via a different network ( e.g. a mobile/cellular network ).

  4. Try using a different web browser. For example, if the problem is experienced using Safari browser, try using Firefox or Chrome. If the problem is experienced with only one type of browser, it may have some security configuration that inadvertently prevents SSL/TLS from working correctly.

  5. Is there are load-balancer involved? It may be possible that the configuration impacts how the SSL/TLS certificate functions.

  6. If connecting via Wi-Fi, perhaps the broadband router has some firewall configuration that prevents the SSL/TLS connection from working as expected.

  7. If connecting to an organization via a VPN, try to access without the VPN.

  8. several 3rd party websites can be used to check the integrity of an SSL/TLS configuration. Here is one example:

Does that detect any errors?

  1. Try using OpenSSL to inspect the certificate, using a command of this form:

echo | openssl s_client -connect :443 -servername | head

If this offers a clear diagnosis of the SSL configuration but the browser continues to block the site and displays an error message, then the problem is likely due to the browser configuration.

Cause

See the ‘Troubleshooting’ section above.

Solution

The troubleshooting steps described above should help to diagnose and fix the majority of these types of errors.

Auth0 only supports the use of Let’s Encrypt for custom domains with managed certificates. If greater flexibility is required, then consider the use of a custom domain with self-managed certificates:

Configure Custom Domains with Self-Managed Certificates

However, this option is only available to customers that have an Enterprise subscription or above.