{"message":"[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)"}

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: letterstostrangers.herokuapp.com

I ran this command:

  1. Go to letterstostrangers.herokuapp.com
  2. Click Sign up/Login
  3. Enter credentials
  4. Upon trying to login

It produced this output:
{"message":"[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)"}

My web server is (include version): I've tried this on Chrome, Safari

The operating system my web server runs on is (include version): macOS mojave 10.14.6, also on iPhone 12 iOS 16.1.2

My hosting provider, if applicable, is: Heroku

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I'm not sure if we have a client.


Since Wednesday, our web application at letterstostrangers.herokuapp.com has been experiencing issues when logging in with the Auth0 interface/service. Normally how it works is that the user will click log in which opens up to the Auth0 domain (nameless-sky9210.auth0.com) and then the callback will return to our web application hosted on heroku. However, upon the callback, instead of our webpage, all we see is this error message.

Things we've tried:

  • Our web application seems to be using Openssl 3.0.2 (part of Heroku-22 stack) which means that an outdated Openssl should not be the issue
  • Updating our Flask, Python, Authlib (Flask Auth0 Integration library client) and several other packages in our requirements.txt
  • Rotating Auth0 Token
  • A lot of people that have been trying to give us support have been saying the following:
    "Issue seems to be related to a recent change in the CA we use. The problem seems to be that your client's certificate manager is not using a version that's accepting the proper CA.

You would need to remove the expired root certificate (DST Root CA X3) from the trust store used by your client to verify the identity of TLS servers. If the new ISRG Root X1 self-signed certificate isn't already in the trust store, add it."

However, I don't see/understand how changing one thing on one device would possibly resolve this log in issue for all of our other users on their own devices. I am not sure what our "client" is in this case. Is it our web application or Heroku or Auth0 or our own device?

We've never had an ssl certificate before for our domain because we host our website on Heroku and it has not been an issue previously but since the recent Auth0 change, this has blocked many of our users from accessing our application. Any help would be greatly appreciated!

Hi @hcy0, and welcome to the LE community forum :slight_smile:

The cert in use on port 443 is being managed by Heroku.
The login page URL is: https://nameless-sky-9210.auth0.com/... and that is being handled by CloudFlare.

What makes you think that your problem has anything to do with an LE cert?


Hi, sorry thank you for your response! I've managed to resolve the issue! I though it was an LE Cert since all the all other people who tried helping me kept redirecting me to this so figured I'd give it a shot to get help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.