Auth0 Support Center - Log Streaming unable to verify the first certificate

Log Streaming unable to verify the first certificate

Sep 8, 2025

Overview

We have upgraded our Logstash to Logstreaming with the steps provided but we see an error after configuration. "could not reach endpoint"

Cause

Unlike browsers, openSSL and by extension the log stream webhook cannot perform discover on a single certificate to retrieve the full chain, and thus cannot verify a certificate issued by another intermediate CA.

Solution

The application listening for the log stream data must be accessible to Auth0 outbound IPs (https://auth0.com/docs/secure/security-guidance/data-security/allowlist) , and it must present the full certificate chain for SSL handshakes to Auth0, so Auth0 can verify the server certificate.

Creating a certificate chain can be as simple as adding the root, intermediate and server certificates one after another in the same .pem or .crt file, here is an example:

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm