We are receiving the following error: “HandshakeException: Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: certificate has expired(handshake.cc:359))”. after september 30 our apis are not working on the lower versions of android devices. that's why we are facing issue. We need help related to this.
Our website is hosted on pythonanywhere and our app is developed on flutter platform.
1 Like
@siddhifinity Welcome to the forum.
I think you may be better off getting help at pythonanywhere:
https://www.pythonanywhere.com/forums/
They are more familiar with how to setup apps in their environment. I see they just helped someone with a similar problem:
https://www.pythonanywhere.com/forums/topic/30391/
If you want someone here to help we will need more info. Please fill out the questions you were shown when posting. Thanks
============================================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
4 Likes
I already mail to pythonanywhere's support but they told that our code is using OpenSSL < 1.1.0 in older versions of Android, that could potentially cause problems.
How can I resolved this issue? Is anything needs to install from server side? please help us in that.
@siddhifinity
On the server side:
- if using OpenSSL, see: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog
- if requiring support for older android devices, use the longer/default trust path cert that ends with "DST Root CA X3 (expired)"
- if NOT requiring support for older android devices, then use the shorter trust path cert that ends with "ISRG Root X1"
There are two ways to do that:
- automated: add
--preferred-chain "ISRG Root X1"to the renewal request and reissue your cert(s) - manual: remove the last cert from the
fullchain.pem(orchain.pem) file
- if having to use either path limits the number of supported clients, then:
you many have to switch to another (free) CA that support ACME protocol. Like:BuyPass.com & ZeroSSL.com
2 Likes
Thank you for the solution.
please give any reference related add --preferred-chain "ISRG Root X1" to the renewal request and reissue your cert(s) on pythonanywhere's server.
I never faced issue related to ssl certificate before this.
@siddhifinity
I'm not familiar with "pythonanywhere".
Is that an ACME client or a web server or what?
Did you read?:
Changing your system image | PythonAnywhere help
1 Like
"pythonanywhere" is a web server. my site is hosted on pythonanywhere. I used Django framework to develop this site, and used Rest framework to make apis which are currently used on the android and IOS apps. now from Sep 30 that apis are not supports for older android devices.
Do you manage the server you use, or is it via a managed service?
Can you control the ACME client there?
Do you specify which cert files are being used?
1 Like
I used the default certificate (ie. Let's Encrypt) provided by pythonanywhere so I just by selecting that.. No need to do anything with files.
So, is there still a problem?
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.