Possible cause
The most likely cause of this issue is that you’re using an older version of OpenSSL and an older set of root CA certificates, both of which are the case with no-longer-supported versions of Node.js.
(Today, Node 12.13.0 and up are supported by the Node.js team, which approximately matches Expo’s policy for supported versions of Node. In April 2022, Node 14.15.0 will be the oldest version supported by the Node.js team.)
Technical details
Let’s Encrypt, the service we use for many of our TLS certificates, recently changed their root certificate from “DST Root CA X3”, which is now expired, to “ISRG Root X1”. For compatibility with older versions of Android (which a service like Expo especially needs!), the new ISRG Root X1 was cross-signed by DST Root CA X3. This causes issues with OpenSSL 1.0.x and is fixed in OpenSSL 1.1.0 and newer.
You can check the version of OpenSSL you’re using in Node.js with:
node -e 'console.log(process.versions.openssl)'
1.1.1l+quic
If you see an version number older than OpenSSL 1.1.0, this likely explains the issue.
Solution
The best solution in this case is to upgrade your version of Node. While upgrading to Node 16, the current version, is probably a good idea, you also can upgrade to Node 12. The latest version of Node 12.22.6 contains OpenSSL 1.1.1l and the newer root CA certificates.
Dangerous solution
The NODE_TLS_REJECT_UNAUTHORIZED environment variable disables all TLS verification, allowing any certificate, including malicious ones, to work. If you understand your threat model well, this footgun could be useful. However, upgrading Node is obviously more secure.