Net::err_cert_date_invalid


#1

After activating one of my websites, one of my clients complained that this error was showing up:

The translation would be

Your clock is late

It is not possible to establish a connection with www.trilhasereceptivos.com.br because the hour and date of your computer (Wednesday, Decempter 26 2018 20:33:47) are incorrect

I asked her to access another website that was activated the same way and it was fine. Her clock seems to be off by one hour, but according to her, her area is not affected by daylight saving time and her clock is indeed correct.

The certificate was created today and is not close to renewal date. I’ve rebooted the server to make sure it is not related to that.

My domain is: trilhasereceptivos.com.br

I ran this command: sudo certbot certonly --webroot -w public -d www.trilhasereceptivos.com.br -d m.trilhasereceptivos.com.br -d trilhasereceptivos.com.br

It produced this output:

 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.trilhasereceptivos.com.br/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.trilhasereceptivos.com.br/privkey.pem
   Your cert will expire on 2019-03-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

My web server is (include version): Apache/2.4.7 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-92-generic x86_64)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


Wrong validity timestamps in certificate?
#2

Certificates have an expiration date and a “not valid before” date – if you time travel to the past, or your computer’s clock is incorrect, certificates can be not yet valid.

Let’s Encrypt certificates have a “not before” time of 1 hour before the moment they were issued. (And in fact expire 89 days and 23 hours after they were issued.)

If your clock is more than 1 hour slow, you will get that kind of error.

Can you ask her to double check? It seems she was mistaken.

Edit: There’s “correct” and then there’s correct. If the clock is 1 hour slow, but the time zone setting is 1 hour fast, it can appear correct when it’s not.