Skip to content

ERR_CERT_DATE_INVALID: Expired SSL and How to Renew

TL;DR:

ERR_CERT_DATE_INVALID means the site's SSL certificate expired or isn't yet valid. 95% of cases: missed Let's Encrypt renewal or forgotten auto-renew cron. Fix: check expiry online, reissue via certbot, and configure a cron for auto-renewal.

This error occurs tens of thousands of times per month. We cover the causes and step-by-step fix.

Check your site's SSL →

What ERR_CERT_DATE_INVALID means

ERR_CERT_DATE_INVALID means the site's SSL certificate expired or isn't yet valid. 95% of cases: missed Let's Encrypt renewal or forgotten auto-renew cron. Fix: check expiry online, reissue via certbot, and configure a cron for auto-renewal.

The error can appear in Chrome, Edge, Opera, Brave (all Chromium-based), and partially in Firefox and Safari. Different browsers display the same code differently, but the underlying issue is the same.

How to fix (step-by-step)

  1. Check the SSL certificate online — the Enterno.io checker shows the grade, expiry, chain, and specific cause.
  2. If the issue is server-side — reissue the certificate via certbot or your chosen CA.
  3. Update nginx/apache config (enable TLS 1.2/1.3, fullchain, correct ciphers).
  4. Check kernel OpenSSL — an outdated openssl < 1.1 can break handshakes.
  5. After deploy: recheck via SSL checker + clear the browser SSL cache.

Check SSL now →

Related SSL errors

TL;DR: How to Fix ERR_CERT_DATE_INVALID

The ERR_CERT_DATE_INVALID error indicates that the SSL certificate for a website has expired or is not yet valid. To resolve this issue, check the server's system date and time, update the SSL certificate if it's expired, and ensure that the certificate chain is correctly configured. For immediate resolution, use the command sudo date -s 'YYYY-MM-DD HH:MM:SS' to correct the system time.

Understanding ERR_CERT_DATE_INVALID

The ERR_CERT_DATE_INVALID error is a common SSL/TLS issue encountered by users attempting to access secure websites. It primarily arises when:

  • The SSL certificate has expired.
  • The SSL certificate is not yet valid, possibly due to incorrect server time settings.
  • The browser's cache or local system settings are causing discrepancies.

Each of these scenarios can lead to a disruption in secure connections, affecting both user experience and website credibility.

To better understand the implications, consider the following:

  1. Expired Certificate: SSL certificates typically have a validity period ranging from 90 days to 2 years. If a certificate expires, browsers will block access, displaying the ERR_CERT_DATE_INVALID error.
  2. Incorrect System Date/Time: If the server hosting the website has an inaccurate system date or time, it may misinterpret the validity period of the SSL certificate, leading to the same error.

Using tools such as OpenSSL, you can check the validity of a certificate by executing the command:

openssl x509 -in  -noout -dates

This command will display the start and end dates of the certificate's validity.

Steps to Resolve ERR_CERT_DATE_INVALID

To fix the ERR_CERT_DATE_INVALID error, follow these structured steps:

  1. Verify the System Time: Ensure that the server's date and time settings are accurate. For Linux systems, you can check the current date and time by running:
date

If the date is incorrect, update it using:

sudo date -s 'YYYY-MM-DD HH:MM:SS'

For Windows servers, use the following command in Command Prompt:

date YYYY-MM-DD

and

time HH:MM:SS
  • Check SSL Certificate Validity: Use the OpenSSL command mentioned earlier to ensure the certificate is still valid and has not expired. If it has expired, proceed to the next step.
  • Renew the SSL Certificate: If the certificate is expired, you must renew it through your Certificate Authority (CA). Most CAs offer a straightforward renewal process. For example, to renew a Let's Encrypt certificate, you can use:
  • sudo certbot renew

    After renewal, restart your web server to apply the new certificate:

    sudo systemctl restart nginx

    or

    sudo systemctl restart apache2
  • Inspect the Certificate Chain: Ensure that your SSL certificate chain is correctly configured. Use SSL testing tools like SSL Labs to analyze your certificate installation and identify issues.
  • Clear Browser Cache: Sometimes, browsers cache SSL certificate information. Clear your browser cache or try accessing the site in incognito mode to see if the error persists.
  • By following these steps, you should be able to effectively resolve the ERR_CERT_DATE_INVALID error and restore secure access to your website.

    CertificateExpiry, issuer, domains (SAN)
    ChainIntermediate and root CA validation
    TLS ProtocolTLS version and cipher suite
    VulnerabilitiesHeartbleed, POODLE, weak ciphers

    Why teams trust us

    TLS 1.3
    supported
    Full
    CA chain check
    <2s
    result
    30/14/7
    days-to-expiry alerts

    How it works

    1

    Enter domain

    2

    TLS chain verified

    3

    Expiry date & vulnerabilities

    What Does the SSL Check Cover?

    SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

    Certificate Details

    Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

    Chain of Trust

    Full chain verification: from leaf certificate through intermediates to root CA.

    TLS Analysis

    Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

    Expiry Alerts

    Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

    DV vs OV vs EV Certificates

    DV (Domain Validation)
    • Confirms domain ownership only
    • Issued in minutes automatically
    • Free via Let's Encrypt
    • Suitable for most websites
    • Most common certificate type
    OV / EV
    • Organization (OV) or Extended Validation (EV)
    • Issued in 1-5 business days
    • Costs $50 to $500/year
    • For finance, e-commerce, government sites
    • Increases user trust

    Who uses this

    DevOps

    SSL certificate monitoring

    Security

    TLS config audit

    SEO

    HTTPS as ranking factor

    E-commerce

    customer trust

    Common Mistakes

    Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
    Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
    Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
    Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
    Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

    Best Practices

    Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
    Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
    Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
    Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
    Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

    Get more with a free account

    SSL certificate monitoring, check history and alerts 30 days before expiry.

    Sign up free

    Learn more

    Sources

    Frequently Asked Questions

    Is it safe to ignore ERR_CERT_DATE_INVALID?

    No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.

    How can I catch this error early?

    Use the <a href="/en/ssl">Enterno.io SSL/TLS checker</a>, or <a href="/en/monitors">set up monitoring</a> with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.

    Does clearing cookies / cache help?

    Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.

    Is Let's Encrypt free — and is the certificate trusted?

    Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.

    Try the live tool that powered this guide

    Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.