Chrome and Edge receiving NET:ERR_CERT_DATE_INVALID

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: saintsusanna2.is-a-musician.com

I ran this command:https://saintsusanna2.is-a-musician.com:9090/ords/apex

It produced this output:Your connection is not private. NET:ERR_CERT_DATE_INVALID

My web server is (include version):Oracle's ORDS Version 25.3

The operating system my web server runs on is (include version):Windows 10

My hosting provider, if applicable, is: stand-alone server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.9.0

No changes were made to OS, nor Oracle, nor CertBos. No changes at all in months, other than standard windows updates. Starting today, when a Windows 11 client accesses server, using Chrome or Edge it receives the error listed above. Firefox doesn't produce an error. On the server, when I run Certbot (as an administrator) and issue the command: openssl x509 -dates -noout < C:/certbot/live/saintsusanna2.is-a-musician.com/fullchain.pem I get the result
notBefore=Dec 22 04:08:29 2025 GMT
notAfter=Mar 22 04:08:28 2026 GMT
However, when I am on a Windows 11 client and receive the error message, I click on the link to View Certificate, it shows the following dates:
Not Before: Sun, 19 Oct 2025 09:55:30 GMT
Not After: Sat, 17 Jan 2026 09:55:29 GMT
Do you have any idea why the clients see an older version of the certificate, but the server Certbot displays something valid?
Thanks for checking.

Yes, your cert expired this morning. You're using a very old version of certbot, and it hasn't been supported on Windows for some time. But fundamentally, whatever process you were using to renew your cert either didn't run, or has failed.

Have you restarted you web server after the certificate renewal?

I restarted the entire server. No difference.

I'll upgrade Certbot. Are there directions for this somewhere?

I'd recommend using a different client instead--as I mentioned, certbot on Windows has been unsupported for some time now. Two that I know of are win-acme (https://www.win-acme.com/) (edit: looks like this one is deprecated in favor of https://simple-acme.com/) and Certify the Web (certifytheweb.com); the latter has a (likely biased) comparison of Windows ACME clients at Comparing ACME Clients for Windows | Certify The Web Docs.

But while this is a problem, it is not your primary problem--that's that your server is for some reason serving an expired cert.

I was just about to post but while running several tests I now see your server on port 9090 is sending the cert you got earlier today from Certbot.

If you still see a problem with a browser, try restarting that as sometimes they cache prior certs.

You should look to replace Certbot on Windows though. It is now stale by nearly 2 years and much has happened in that time. Major changes like profiles and ACME Renewal Information (ARI).

Both Certify the Web and simple-acme suggested earlier are good options with support for these features.

Thanks for the replies danb35. I have it fixed now. My problem was with ORDS (Oracle RESTful Data Services). When it's installed, ORDS creates a file "..\ords\config\global\settings.xml" The install process creates entries in settings.xml that point to Certbot's Archive folder and current files. In my case it was C:\Certbot\archive(my-domain)\fullchain13.pem and C:\Certbot\archive(my-domain)\privkey13.pem. I changed the Archive folder to Live and removed the version digits on the filename. This way the symbolic link in the LIVE folder references the updated version in the ARCHIVE folder.
So my emergency is solved for the time being. But I'll research both Simple-Acme and Certify The Web solutions. I'll migrate from Certbot to one of those. Many Thanks for all your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.