NET::ERR_CERT_DATE_INVALID and certificate is not expired
When I try to access my website using https I receive the below error. This error only occurs from my computer regardless which browser I am using to access the home page. When I try to access the same website using another computer everything is fine and I don't receive this error. I am puzzled since the error seems to indicate invalid date, but the date has not expired. What should I do in order to resolve this issue?
NET::ERR_CERT_DATE_INVALID Subject: www.dimsum.dk
Issuer: R3
Expires on: 29. dec. 2021
Current date: 30. sep. 2021
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgISBFTpIRdz8BnEJ1HmwjjelP48MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MzAwMzQ0NDNaFw0yMTEyMjkwMzQ0NDJaMBgxFjAUBgNVBAMT
DXd3dy5kaW1zdW0uZGswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDs
ld4yzvlDBswuVvdfyuhz/biGfgpPTaD8vD/kLrudtCBChI4S94xAFl1u3KemECo8
p8OdJLSqgl/GMijlsisNRfW4gNggW6vc6ZpecnvVEjwWH+nNpL9/B0PejVvWfa71
297B5qPejBMvxhRFE8huOzDvK45nKiYtLyQbpWlwrQYwR+iomECUhNykkrvaALby
zWL5vedXuLwprA5ehQwjK8Sc1vEnF2SQ7F54Ede6RX4kQDE1ga2Zzf/SaPyUxTUu
Dby//jWSRhlG2yikdfEVUDzU863k66u7GZnk9cjbRCMxEwez1f5BsHnVzah7LwoO
zIMZ7uXj3LZdf1isShbdAgMBAAGjggJIMIICRDAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFKgYduUe8+w197TiCqj2IqO0VHWNMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
MBgGA1UdEQQRMA+CDXd3dy5kaW1zdW0uZGswTAYDVR0gBEUwQzAIBgZngQwBAgEw
NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
cnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBc3EOS/uarRUSxXprU
VuYQN/vV+kfcoXOUsl7m9scOygAAAXw1BN0ZAAAEAwBGMEQCIGJv0dBdTLKAXBkw
1Wo0RPjEwUd/+PLZ8JaT3cDaADhtAiAfwg9+G9gow+3LhPcdyLc7i6EdEJTsZUY2
FqOkreHx+AB3AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABfDUE
3TIAAAQDAEgwRgIhALumwLxtVcvItDPw2CWH1UmFU1vB+iVF3leLWrcZVVOnAiEA
gk+AxFpuAbmp0T5Xk4aDfBu8YIbYROnBzr50DHBlzWowDQYJKoZIhvcNAQELBQAD
ggEBAIW9jZPFwTBxoKlsXFtbpGtmju/aCjkctVjz05ywn1A7zChT1bP8QDk2bVMc
nwDmdqd4Zxh/cOz3UEvfpEPloGWi0Vv2qNza/TqZ14cc2wsd05EPMFwdCNlS7KAC
uqAPMZszHdSEMBobSP1fgKicutKH4PvuBRPcAgzOb3Mc+nTSDTzl3vwRuHGAcJKw
pOik/WFQhnqEU5bZjnMVSzsmbq+0f//vLvven36BbdxJlbKUP+jkWicKxAdRewmE
3c9Baqdr8ZHfRJkC7RczJKyKc9cREHeyM1gGnqR16BDguGhoYE6E47PHGkhWYIk6
GWjksODOm3vblUBhcgfrBuBMpFE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
Certificate Transparency:
SCT DigiCert Yeti2021 Log (Embedded in certificate, Verified)
SCT Google 'Xenon2021' log (Embedded in certificate, Verified)
Solution 1:
I just encountered a similar problem to this yesterday - my web server was only serving the site certificate, not the full certificate chain.
Some computers were finding the R3 certificate and were happy, but several macOS computers were not finding the new R3 certificate, instead using an older one, which expired on 29 September (two days ago), and whose Root CA (DST Root CA X3) expired on the following day.
The new R3 certificate expires in 2025, and is signed by a different CA: ISRG Root X1.
You can check the certificates your web server is sending with:
openssl s_client -connect www.dimsum.dk:443 -servername dimsum.dk -showcerts
You should see the R3 certificate (s:/C=US/O=Let's Encrypt/CN=R3
) in the output, e.g.
Certificate chain
0 s:/CN=www.dimsum.dk
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgISBFTpIRdz8BnEJ1HmwjjelP48MA0GCSqGSIb3DQEBCwUA
...
GWjksODOm3vblUBhcgfrBuBMpFE=
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
...
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
...
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
No expiry dates are listed here, but note the R3 certificate is issued by the ISRG Root X1 certificate, and the Base64 top and tail of the certificates should match what is here - for the next few years at least.
Solution 2:
When I try to access my website using https I receive the below error. This error only occurs from my computer regardless which browser I am using to access the home page.
I am going to make the educated guess that your system time is actually accurate, but due to the time zone you are in, your system time the browser is reporting the certificate as invalid. The reason your certificate is invalid, is due to the fact the Root Certificate Authority (CA) Certificate (DST Root CA X3) that signed your certificate, is due to expire today.
The solution is to manually install the ISRG Root X1 certificate into the certificate store on your device. As of today, September 30th, 2021, ISRG Root X1 replaces DST Root CA X3. You shouldn't have to do anything. Running the current Chrome version on a supported operating system should already trust the ISRG Root X1 certificate. If the certificate continues not to be trusted. I would simply install the certificate manually to the certificate store.
You can manually import the certificate using the following command within a command prompt:
ertutil -ent -addstore Root isrgrootx1.der
Source: DST Root CA X3 expiration on Windows7. Which update I need to install? Are there workarounds?
To be clear, my suggestion is to manually install this, using the provided command.
Let's Encrypt has the following advice:
If you experience problems related to certificate chaining you should first review your configuration and make sure your server/website/device is sending the correct chain with the updated R3 intermediate signed by ISRG Root X1. It is unlikely that you need to force renewal to resolve issues related to R3 signed by DST Root CA X3 expiring. This thread and many more on the community offer advice to review and resolve this problem.
Earlier today, the DST Root CA X3 expired as planned. Most problems related to DST Root CA X3 expiring will not be solved by force renewal. Please search the forum and this this thread for help to resolve the problems you are experiencing before opening a new thread.
You might have luck removing the invalid chain contained within fullchain.pem (or the appropriately named file) on your system. You will want to remove the last entry in the file which should be the chain for DST Root CA X3
. if clients still don't trust your website, after manually installing the correct certificate, it's the configuration of the web server that is to blame.
You might be able to resolve the problem by forcing a renewal of your certificate and specifically indicating a the preferred chain with the following abbreviated command.
certbot renew --force-renewal --preferred-chain "ISRG Root X1"
Source: Directory access problem