{"message":"[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)"}

All of our applications have been seeing this message upon trying to login via Auth0. Couldn’t find anything that works so far. Looked at this post Expo CLI - Error: certificate has expired - Expo Development Tools - Forums here but we don’t use NodeJS.
We’re using heroku to host our web application and auth0 is being used as an add-on through heroku. The backend is written with Flask and Python and frontend with HTML/CSS/JS.

Hi there, please take a look at this post as it appears related:

Hi - thanks @dan.woda. I’m not quite sure how to remove the expired root certificate from the trust store or how to access this trust store. How do I know where to determine if I am using OpenSSL? Is this a device by device issue? how would it be possible to fix for all users? We are using the Authlib package (authlib.integrations.flask_client) to create an OAuth Object that then calls auth0.authorize_access_token(). I’ve tried out the troubleshooting components that you suggested but none seem to be working. How can I also file a support ticket?

1 Like

I am also interested in the answers to questions @hc20 is asking!
My companies application has been down having similar outages to those who are replying to @dan.woda

Hi folks, can you report what OpenSSL version you are using?

You can use this command in your terminal:

openssl version

openssl : The term ‘openssl’ is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1

  • openssl version
  •   + CategoryInfo          : ObjectNotFound: (openssl:String) [], CommandNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException

Windows 10: I removed the certificate but as soon as I launch the app and try to authenticate, the certificate appears again. I tried leaving it and disabling it but this did not give different results. I also tried moving it to “Untrusted” but this did not fix it either. I am using the logic from: Build and Secure an Electron App - OpenID, OAuth, Node.js, and Express which was working until December 7 and now it fails. On the screen it gives “Unauthorized” and on the console it says:

(node:7228) UnhandledPromiseRejectionWarning: Error: certificate has expired
    at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket._finishInit (_tls_wrap.js:936:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12)
(node:7228) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)
(node:7228) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
1 Like

Hi @dan.woda - following up from {“message”:”[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)”} - I am using
OpenSSL 1.1.1n on my local machine 15 Mar 2022
This is for a macOS Mojave Version 10.14.6

Our web application is hosted on Heroku with Heroku-22 stack, according to @mattohren’s image should be using openssl 3.0.2

Additionally, for our SSL


On my local machine I am using

LibreSSL 2.8.3

On my Heroku dynos we use Openssl 1.1.1 (part of Heroku-20 stack)

If we want to use Openssl 3.0.2, i need to upgrade to the Heroku-22 stack

@mattohren, you were able to get it working by upgrading your SDK, right?

1 Like

Hi @dan.woda - do you have any additional updates on my issue?

@hc20,

Are you using up-to-date versions of python, flask, and the SDKs you are using with Auth0?

We found the latest version of axios has an issue that breaks the sample code in the blog. Once a character encoding is set for the response and if axios is pinned at 1.2.0, we got the sample code to work.

In our case this issue was resolved by using the latest version of electron. Unfortunately, we have some work to do before our code base can use the latest version. We were using web pack 4 and now web pack 5 is recommend which doesn’t include node so this will also add more work for us in getting the the latest version of things. Apparently older versions of electron use older root certificates and so they won’t work with the latest auth0 which changed their Certificate authority.

1 Like

@dan.woda, we are using the up to date versions of all of these I believe.
Authlib==1.2.0
certifi==2022.12.7
Flask==2.2.2
python-dotenv==0.19.2
python-http-client==3.3.1
requests==2.3.0
Werkzeug==2.2.2

I’ve resolved my issue! thanks for your help!

1 Like

Thanks for sharing your resolutions everyone!

Yep, upgrading the SDK worked for my local and production environments.

1 Like

Thanks for the reply!

I’m running into that same problem running an ASP.NET app from docker.

Is the solution to install openssl v3?