Your SERVER provides a CERTIFICATE that is signed by E5 INTERMEDIATE
, which is signed by X2 ROOT
(and compatible with X2 CROSS-SIGN
, which is signed by X1 ROOT
).
The E1 INTERMEDIATE
was still used for signing until June 6 2024. There are still active certificates signed by E1 INTERMEDIATE
, and that is expected to continue until September 4 2024 (90 days after June 6, the max certificate lifetime).
You did not share your domain name or any information about how you are leveraging Auth0. It is fairly impossible to guess what is going on based on the information you shared, because we have no idea what the mobile app is doing, what is is querying, and what end entity/leaf certificates it is using.
Considering you are having this issue with a small subset of users, my first guess would be there is a bug in your app, and you might have two API endpoints behind a load balancer, one is configured to serve an older certificate with E1 and the other with a newer E5. The error would happen when a second request is serviced by a different backend than the first request.
My second guess is that you might also have the following situation: Your webserver is sending a new Certificate signed by E5, but is still configured to send the chain from the previous certificate that specifies E1. Many web clients/libraries/browsers have a "short circuit" logic, and might ignore the E1 certificate because they previously validated a chain with an E5 certificate and still have that in their cache -- so when they try to validate the E1 certificate you indicated (that would fail), they: look up the SPKI, find the E5 certificate, use the E5 Certificate to build a path to the X2 trust store, and never have to look up the E1 certificate.
You should be debugging the certificates each connection is using - they will have a different serial number and expiration date. That should help you better pinpoint the issues.
So what can be the reason, that iphone still try to use this certificate from trust store? Does iphone don't load new certificates common trust store?
The iPhone does not have the intermediate certificates (E1, E5, etc) in the Trust Store. The iPhone only has the Root certificates (X1, X2) in the trust store. The server sends the iPhone an EndEntity/Leaf Certificate (for your domain) alongside a chain certificate (E1 or E5) to bridge the connection between your Leaf and the Root in the Trust Store.
Or it can be service issue and web service returns wrong certificate for app(but only in several cases)?
This is almost certainly the issue - either a bug in your app or the server.
There are a few other possibilities, but I think these are the most likely.