ERR_CERT_DATE_INVALID occurs when the browser determines that the server's certificate is outside its validity period. Every SSL/TLS certificate has a notBefore and notAfter date embedded in it. If the current date falls outside that range, the browser rejects the connection because it cannot verify that the certificate was legitimately issued and is still trusted by its Certificate Authority. This is one of the most common SSL errors users encounter, and it can be caused by either a genuinely expired certificate on the server or an incorrect system clock on the client machine.
The most common reason. Certificates from Let's Encrypt expire every 90 days, and commercial certificates typically expire after 1 year. If automatic renewal failed or was never configured, the certificate will eventually expire and browsers will reject it.
If the user's computer clock is set to a date in the past or far in the future, the browser will calculate that the certificate is outside its validity window even though it is perfectly valid. This is common on devices with dead CMOS batteries or incorrect timezone settings.
In rare cases, the Certificate Authority may have issued the certificate with a notBefore date in the future or an unusually short validity period. This typically only happens with self-signed or internal CA certificates where the issuer's own clock was wrong.
Use openssl to connect to the server and inspect the certificate validity dates. Look at the 'Not Before' and 'Not After' fields to determine if the certificate is expired or not yet valid.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
If the certificate dates look correct, the problem may be on the client side. Check that the system clock is accurate and set to the correct timezone. On Linux, use timedatectl; on macOS, check System Preferences > Date & Time.
date && timedatectl status
If the certificate has expired, renew it. For Let's Encrypt, run certbot renew. For other providers, generate a new CSR and reissue through your CA's dashboard. Then restart your web server to load the new certificate.
sudo certbot renew --force-renewal && sudo systemctl restart nginx
Prevent future expirations by configuring a cron job or systemd timer for automatic renewal. Certbot usually installs a timer automatically, but verify it is active.
systemctl list-timers | grep certbot
After renewal, confirm the server is actually serving the new certificate and not a cached or stale one. Use the port scanner to verify HTTPS is accessible.
Scan PortsThe browser does not trust the Certificate Authority that signed the server's SSL certificate.
The domain name in the URL does not match any of the names listed in the server's SSL certificate.
The TLS peer rejected the certificate because it has passed its expiration date.