SSL Certificate Expired Error

Fix 'NET::ERR_CERT_DATE_INVALID' and 'SSL certificate expired' errors in browsers. Learn how to update and manage SSL/TLS certificates.

What Does This Error Mean?

The 'NET::ERR_CERT_DATE_INVALID' error means the SSL/TLS certificate presented by the server is outside its validity period — either not yet active (before notBefore date) or expired (past notAfter date). Browsers will block the connection to protect users.

Common Causes

SSL certificate has expired and needs renewal

System clock on the server or client is incorrect

Certificate was installed before its validity start date

Let's Encrypt auto-renewal failed or is not configured

Certificate chain includes an expired intermediate certificate

Using a self-signed certificate in production

How to Fix It

Renew the certificate

Use Certbot (Let's Encrypt) or your certificate provider to renew the certificate.

# Renew Let's Encrypt certificate
sudo certbot renew

# Check certificate expiration
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# Check specific certificate file
openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -noout -dates

Check system clock

Ensure both the server and client have the correct date and time set.

# Check server clock
date
# If incorrect, sync with NTP
sudo timedatectl set-ntp true
sudo systemctl restart ntp

# Check client browser: visit chrome://settings/dateTime

Automate with Certbot

Set up automatic renewal so certificates never expire.

# Test auto-renewal
sudo certbot renew --dry-run

# Check Certbot timer status
sudo systemctl status certbot.timer

# View renewal logs
sudo journalctl -u certbot.service

Related Tools

Use these tools to debug and fix this error:

IP Lookup

Display your public IP address, browser information, and HTTP request details.

HTTP Status Code Reference

Searchable reference of all HTTP status codes with descriptions and use cases.

Hash Generator

Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text.

Related Errors

Other common errors in this category:

DNS Not Resolved Error

Fix 'DNS not resolved' or 'net::ERR_NAME_NOT_RESOLVED' errors. Learn how DNS resolution works and how to fix domain name lookup failures.

Connection Refused Error

Fix 'ECONNREFUSED' and 'Connection refused' errors when connecting to databases, APIs, or other services.

ERR_CONNECTION_RESET Error

Fix 'ERR_CONNECTION_RESET' or 'net::ERR_CONNECTION_RESET' errors in Chrome and other browsers. Learn why TCP connections are reset and how to fix them.

ERR_SSL_PROTOCOL_ERROR Error

Fix 'ERR_SSL_PROTOCOL_ERROR' errors in Chrome and browsers. Learn how SSL/TLS handshake failures happen and how to fix protocol mismatches.

Frequently Asked Questions

How long do SSL certificates last?

As of 2024, SSL certificates are valid for a maximum of 398 days (about 13 months). Let's Encrypt certificates are valid for 90 days.

Can I use a certificate before its start date?

No. The certificate's notBefore date prevents usage before it's valid. Check if your server clock is correct or if the certificate was installed prematurely.

Browse All Error Guides