[SOLVED] Sudden ERR_CERT_DATE_INVALID with valid certificate

Greetings! I started getting the ERR_CERT_DATE_INVALID error all of a sudden on a NGINX website today, even though no changes had been made to the certificate or server itself. I’ve been researching on potential fixes to no avail. What could be the cause of this?

EDIT: I also tried to renew the certificate (via certbot certonly, which was successful) and restart the machine, but the error remained unfortunately.

My domain is:
resende.caren.app

I ran this command:
certbot certificates

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: resende.caren.app
   Domains: resende.caren.app www.resende.caren.app
   Expiry Date: 2020-09-15 19:46:09+00:00 (VALID: 89 days)
   Certificate Path: /etc/letsencrypt/live/resende.caren.app/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/resende.caren.app/privkey.pem
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version):
nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
Amazon Web Services

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

1 Like

Hi,

That’s weird, because from what I see the certificate is valid and working as intended. Can you please check if your computer’s time is synced correctly?

Information on SSLLabs also show your certificate is valid.
https://www.ssllabs.com/ssltest/analyze.html?d=resende.caren.app
Hardenize test is also fine, although you have some security header issues.

P.S. a important information: If you use certonly without a installer specified (certonly means it will not reload your web server after renewal), you’ll need to make sure you reload/restart your Nginx server after successful renewal. If you don’t reload, the webserver will not use the up to date certificate and will display the expired certificate. @gVirtu

2 Likes

Thank you so much for the thorough response @stevenzhu!

This was actually a false positive on my end, the cert in question was indeed working fine, the culprit was actually another one that was being used for our static assets cloudfront distribution. That one did expire today. :man_facepalming:

I will take the opportunity to review the security header issues now as well.

Thanks a bunch again, I’ll mark this as solved!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.