Cert appears to be renewed, but browsers return ERR_CERT_DATE_INVALID

My domain is: nodejs.freshstartfurniturebank.org and I use port 3000

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/nodejs.freshstartfurniturebank.org.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/nodejs.freshstartfurniturebank.org/fullchain.pem expires on 2021-08-16 (skipped)
No renewals were attempted.

If I check the status of the SSL certificate using online checkers, they report that it doesn't expire for 60 days. (aka 8/16/2021)

This has been running fine until today and now browsers report: net::ERR_CERT_DATE_INVALID

When I look at the Security tab in the browser and inspect the certificate, it shows that it expires today (6/17/2021).

Rebooting didn't help.

What am I doing wrong/missing? (Please note that I'm the "IT guy" for a small non-profit & not a professional software engineer).

My web server is (include version): Apache/2.4.38 (Raspbian)

The operating system my web server runs on is (include version): raspbian 10

My hosting provider, if applicable, is: raspberry pi

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0


Hi @geoffschultz and welcome to the community!

At first glance, I can access your site.

And a picture is worth a thousand words!
No problems from where I sit.
FIRST ... I'd look at flushing the browser(s) cache(s) and recheck for the error.


Welcome to the Let's Encrypt Community, Geoff :slightly_smiling_face:

You can see the full certificate history for nodejs.freshstartfurniturebank.org here:


Note that every other certificate in that list is a precertificate, so there have actually only been three certificates issued for nodejs.freshstartfurniturebank.org.

So nodejs.freshstartfurniturebank.org:3000 is serving this certificate:

It's also worth noting that nodejs.freshstartfurniturebank.org:3000 is presently returning 404 as its index page.

On the other hand, nodejs.freshstartfurniturebank.org:443 is serving this certificate:

I would suggest starting with reloading your Apache webserver, clearing your cache, then trying again.

sudo apachectl -k graceful

If that doesn't help, please show the output of:

sudo certbot certificates


The server is only for socket.io and there is no web server. Here's a URL that returns an error:


I cleared the browser cache and rebooted the server and then did:

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: nodejs.freshstartfurniturebank.org
Domains: nodejs.freshstartfurniturebank.org
Expiry Date: 2021-08-16 23:18:19+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/nodejs.freshstartfurniturebank.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nodejs.freshstartfurniturebank.org/privkey.pem


The software associated with port 3000 might be configured to serve an old certificate in /etc/letsencrypt/archive/nodejs.freshstartfurniturebank.org rather than the newest certificate (/etc/letsencrypt/live/nodejs.freshstartfurniturebank.org/fullchain.pem).


What software handles port 3000?

It is still using this cert:


The software that runs is a server that I wrote in nodejs using socket.io. I must admit that configuring the SSL certificate was extremely confusing to me, and I probably screwed something up. Here's the code to initialize it:

const cors = require('cors');
const fs = require('fs');
const { isNull } = require('util');

const options = {
key: fs.readFileSync('privkey.pem'),
cert: fs.readFileSync('fullchain.pem')

var app = require('express')();

var server = require('https').createServer(options, app);

As I was writing this, I realized that it's reading a local (old) copy of privkey.pem and fullchain.pem, which I changed to read from /etc/letsencrypt/live/nodejs.freshstartfurniturebank.org and all seems well. Is this the correct approach?

Thank you very much for your help!


You've got it right, my friend!



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.