Expired Certificate Errors from Certificate Authority Changes

Problem Statement

This issue appears to be related to a recent change made by the certificate authority (CA) used by Auth0. If you are seeing expired certificate-related errors, it is most likely a result of an expired certificate being sent with requests to Auth0.

The problem seems to be that the client certificate manager is not using a version that’s accepting the proper CA.


Remove the expired root certificate (DST Root CA X3) from the trust store used by your client to verify the identity of TLS servers. If the new ISRG Root X1 self-signed certificate isn’t already in the trust store, add it.

Also, if you are using OpenSSL you must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail.

The removal and addition of certificates from/into the system certificate trust stores is a highly specific operation depending on the operating system.

Unfortunately, there’s nothing we can do to help from the Auth0 side.

Here are a few more things you can do to troubleshoot this error:

  • Make sure you are using the latest version of our SDK.
  • Make sure that all your HTTP components are up to date, and that those components are using the latest version of OpenSSL.
  • To help identify the above, you can check where you are making calls to Auth0, and from there, make sure those components making the calls are updated.

If you are still seeing errors after trying these suggestions, please provide more information about your specific use case in a new topic or create a support ticket.