sfw/fix
ERR_CERT_DATE_INVALID high

NET::ERR_CERT_DATE_INVALID (expired or not-yet-valid certificate)

The device clock is outside the certificate's validity window, so Chrome treats the cert as expired or not yet valid.

What you see

Your connection is not private
NET::ERR_CERT_DATE_INVALID
example.com normally uses encryption to protect your information... your clock is wrong

What’s actually happening

Red interstitial, and Chrome frequently guesses the cause in the body text — either "the server's certificate has expired" or "your computer's clock is set to [date], which is wrong." If it expired server-side, every visitor sees it at once. If it's a client-clock problem, only that one machine is affected and HTTPS breaks across many sites simultaneously, which is the giveaway.

Common causes

  • The certificate hit its Not After date — renewal didn't happen or the auto-renew job silently failed.
  • Renewal succeeded but the new cert was never deployed/reloaded, so the server is still presenting the old expired file.
  • The cert isn't valid yet (Not Before is in the future) — usually a server clock set wrong or a freshly issued cert deployed too early.
  • The visitor's device clock is wrong (dead CMOS battery, wrong timezone, a VM resumed from an old snapshot).
  • A pinned or cached old cert is being served by a stale load balancer / CDN node after renewal.

How to fix it

  1. Read the actual dates first`echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates` prints notBefore and notAfter. Compare against `date -u`. This instantly tells you whether the cert or the clock is the problem.
  2. If the cert expired, renew and actually reloadReissue (`certbot renew --force-renewal` or your CA's flow), then reload the service so it picks up the new file — `systemctl reload nginx` / `apachectl graceful`. Renewing without reloading is the classic "I renewed it but it's still broken." Re-run the openssl check to confirm the new notAfter.
  3. Fix a failed auto-renewCheck the timer: `systemctl list-timers | grep certbot` and `journalctl -u certbot`. Common breakages: port 80 closed so the HTTP-01 challenge fails, a webroot path that moved, or rate-limit hits. Fix the underlying cause, don't just renew by hand each time.
  4. If it's a client clock issueSet time to automatic: Windows Settings > Time & language > "Set time automatically" + "Sync now"; macOS sets it via Date & Time; Linux `timedatectl set-ntp true`. Replace the CMOS battery if the desktop keeps resetting to a date years in the past.
  5. Purge stale cached certs at the edgeIf origin shows the new dates but the browser still sees the old one, a CDN/LB node is serving a cached cert. Re-deploy the cert at the edge (Cloudflare, your LB) and confirm via openssl against the public hostname, not just the origin.

Stop it recurring

Monitor expiry with an external check (e.g. an uptime monitor's SSL alert) that pings 30/14/7 days out, and keep NTP enabled on servers.

Related errors

NET::ERR_CERT_AUTHORITY_INVALID (untrusted / self-signed CA)

high

Chrome can't build a trust path from the site's certificate to a root it trusts, so it blocks the page.

NET::ERR_CERT_REVOKED (certificate revoked by the CA)

critical

The CA has actively revoked this certificate via OCSP/CRL, so Chrome blocks it and no bypass will load the page.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.

Mixed Content Warning

medium

Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.