FetchError: request to <URL> failed, reason: self-signed certificate in certificate chain

For a number of years we have been using LetsEncrypt certificates that have been signed by their R3 intermediate CA. Starting this June, they began signing certificates with a new set of CA’s named E5 and E6.

A couple of days ago we updated our firewall in a staging environment to use the new certificates. However, since that change, whenever we access our server from Auth0 (e.g. from an action in the Login flow), we get the error: “FetchError: request to failed, reason: self-signed certificate in certificate chain”.

If I make the same request locally using the same credentials to fetch a token, and using the resulting access_token to call our server, I get the expected successful result.

This seems to indicate that Auth0 isn’t recognizing/trusting the new intermediate certificate.

Is there anything I can configure/change to get this to work?

1 Like

Hello, @stephan.schmidt

To address this issue, consider the following steps:

Update Auth0 Configuration:
Check your Auth0 configuration to ensure it’s set up to trust the new intermediate certificates.
Auth0 should be configured to recognize the entire certificate chain, including the new intermediates.
Certificate Chain Verification:
Verify that the certificate chain presented by your server includes the E5 or E6 intermediate certificate.
Ensure that the root certificate (ISRG Root X1) is also included in the chain.
Check Firewall Settings:
Confirm that your firewall is correctly configured to use the new Let’s Encrypt certificates.
Ensure that the firewall is not blocking any necessary connections.
Test Locally:
As you mentioned, testing locally and obtaining the expected result indicates that your server setup is correct.
Focus on the communication between Auth0 and your server.

Remember to document any changes you make and test thoroughly in your staging environment before applying them to production. Good luck resolving the issue!

I hope this info is helpful to you.

Best Regard,
Ruth Johnson