Hostwinds Blog
Search results for:
How to Fix ERR_CERT_DATE_INVALID: A Guide for Users and Site Owners
by: Hostwinds Team / August 15, 2025
Seeing a big warning page that says ERR_CERT_DATE_INVALID when you try to load a website can feel a bit alarming.
For everyday users, this simply a friendly alert that the site they're trying to reach may not be secure. For website owners, it's a sign that your SSL certificate needs attention.
Let's walk through exactly what this error means, why it happens, and the steps both visitors and site owners can take to resolve it.
What ERR_CERT_DATE_INVALID Means
SSL/TLS certificates are only valid for a set period of time. When the browser checks the certificate and sees that the date range doesn't match what it expects, it blocks access to the site and displays ERR_CERT_DATE_INVALID, often accompanied with the phrase "Your connection is not private."
This typically happens for two main reasons:
- The certificate hasn't started yet (its activation date is in the future).
- The certificate has already expired (its end date has passed).
Browsers treat either situation as unsafe, because if certificates were accepted outside of their valid window, attackers could try to reuse old certificates or issue future-dated ones to impersonate sites.
A Quick Refresher on SSL/TLS Certificates
To understand why this error matters, it helps to review what SSL/TLS certificates do:
- Encryption: They encrypt data between your browser and the website, preventing outsiders from reading sensitive information.
- Authentication: They confirm that the website really is the domain it claims to be. For example, when you visit https://example.com, the certificate proves you're connected to the real example.com and not a fake copy.
- Trust indicators: Certificates let browsers display the padlock icon and use HTTPS in the address bar, signaling a secure connection.
Each certificate has a validity window defined by a start and end date. For example:
- Let's Encrypt certificates are valid for 90 days.
- Commercial SSL certificates can last up to 1–2 years.
Once that time frame passes, the certificate is no longer considered secure, and browsers will flag it with errors like ERR_CERT_DATE_INVALID.
Common Reasons You'll See ERR_CERT_DATE_INVALID
This error can pop up for several reasons. Some are related to the website itself, while others come from the user's own device:
- Expired SSL/TLS certificate
- The most common cause. When the certificate hits its expiration date, it's automatically invalid.
- Example: If a certificate was valid from June 1, 2023, to June 1, 2024, and you visit the site on June 2, 2024, the browser will show this error.
- The most common cause. When the certificate hits its expiration date, it's automatically invalid.
- Certificate not yet valid
- If the certificate's start date is set in the future, it won't work until that date arrives.
- This can happen if the certificate was issued incorrectly or installed with the wrong settings.
- If the certificate's start date is set in the future, it won't work until that date arrives.
- Incorrect date or time on the device
- Your browser compares the certificate's validity dates with your computer or phone's system clock.
- If your clock is set to the wrong year, month, or time zone, the browser may think the certificate is expired or not yet valid.
- Example: If your laptop resets to January 1, 1970 (a common system default), every modern certificate will look invalid.
- Your browser compares the certificate's validity dates with your computer or phone's system clock.
- Man-in-the-middle interference
- In rare cases, malicious actors or insecure networks may try to intercept your connection.
- Browsers detect mismatches in certificate details and show this error as a warning sign
- While uncommon, it's one reason why you shouldn't simply click past the warning.
- In rare cases, malicious actors or insecure networks may try to intercept your connection.
How This Differs From Other SSL Errors
Browsers display different SSL errors depending on what's wrong with the certificate. Here's how ERR_CERT_DATE_INVALID compares:
- ERR_CERT_COMMON_NAME_INVALID: The certificate doesn't match the domain name (for example, the certificate is for www.example.com but you're on mail.example.com).
- ERR_CERT_AUTHORITY_INVALID: The certificate was issued by an untrusted or unknown certificate authority (CA).
- NET::ERR_CERT_REVOKED: The certificate has been revoked by the CA, usually due to security concerns.
- ERR_SSL_PROTOCOL_ERROR: indicates a failure in the secure handshake between the browser and the website, preventing a secure connection.
Unlike those, ERR_CERT_DATE_INVALID is tied specifically to the certificate's time validity. That makes it easier to diagnose because you know the issue is either the certificate's dates or the system clock.
User-Side Fixes
If you're just trying to visit a website and see this error, there are a few steps you can take before assuming the site is unsafe:
- Check your device's date and time
- Make sure your clock, calendar, and time zone are accurate.
- On Windows, you can set the clock to update automatically with internet time servers.
- On macOS, enable "Set date and time automatically" in system preferences.
- Make sure your clock, calendar, and time zone are accurate.
- Update your browser and operating system
- Outdated browsers may not recognize newer certificates correctly.
- Installing updates also refreshes your system's list of trusted certificate authorities.
- Outdated browsers may not recognize newer certificates correctly.
- Clear SSL state and cache
- Browsers sometimes store old certificate data. Clearing the SSL cache can force a fresh check.
- In Chrome on Windows: go to Internet Options → Content → Clear SSL state.
- Browsers sometimes store old certificate data. Clearing the SSL cache can force a fresh check.
- Try incognito mode or another browser
- This rules out issues caused by browser extensions or cached sessions.
- Check Your VPN
- If you're using a Virtual Private Network, you might be routed through a server in a different timezone
- Example: If your device is set to local time in California but your VPN routes traffic through Germany, an SSL certificate that looks valid in Germany's time zone might appear expired or not yet valid on your system.
If you try these steps and still see the error on multiple devices, it's almost certainly a problem with the website's SSL certificate, not your system.
Fixes for Website Owners
If you manage the website that's showing this error, you'll need to address the certificate directly. Steps include:
- Check your certificate's expiration date
- You can do this by clicking the padlock in your browser's address bar and viewing the certificate details.
- Online SSL checkers (like Qualys SSL Labs) also show certificate validity.
- You can do this by clicking the padlock in your browser's address bar and viewing the certificate details.
- Renew or reissue the certificate
- If it's expired, request a renewal from your certificate provider.
- With Let's Encrypt, this can often be done with a simple renewal command.
- If it's expired, request a renewal from your certificate provider.
- Install the new certificate correctly
- Replace the old certificate on your web server and restart the web service.
- On Apache or Nginx, that means updating the .crt and .key files and reloading the service.
- Replace the old certificate on your web server and restart the web service.
- Verify your server's system clock
- Just like client devices, servers need the correct date and time.
- Configure Network Time Protocol (NTP) to sync with reliable time servers.
- Just like client devices, servers need the correct date and time.
- Check intermediate certificates
- Many SSL setups require intermediate certificates to complete the chain of trust.
- If these are expired or missing, browsers may still throw an error.
- Many SSL setups require intermediate certificates to complete the chain of trust.
Preventing Future Issues
Dealing with expired certificates can be stressful, but prevention is straightforward:
- Set up certificate expiration alerts
- Many certificate authorities send reminders before expiration.
- You can also use monitoring tools that notify you if a certificate is nearing its end date.
- Many certificate authorities send reminders before expiration.
- Automate renewals
- With Let's Encrypt and Certbot, certificates can renew automatically every 60–90 days.
- Automation prevents human error and avoids downtime caused by expired certificates.
- With Let's Encrypt and Certbot, certificates can renew automatically every 60–90 days.
- Keep track of all certificates
- If you run multiple websites or services, maintain an inventory of your certificates, their providers, and expiration dates.
Wrapping Up
ERR_CERT_DATE_INVALID is one of the more common SSL/TLS errors, and fortunately, it's often one of the easiest to diagnose. It almost always points to an expired certificate or an incorrect system clock.
- For users: the fix usually comes down to correcting device date and time settings or updating the browser.
- For website owners: the fix is typically renewing and installing a valid SSL/TLS certificate.
Staying proactive with certificate management ensures visitors won't be blocked by errors, and it helps maintain security and trust in your website.
Written by Hostwinds Team / August 15, 2025