go
auth_error
ai_generated
partial
tls: failed to verify certificate: x509: certificate has expired or is not yet valid
ID: go/net-http-tls-handshake-error-certificate-validity
75%Fix Rate
88%Confidence
1Evidence
2024-01-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| go1.21 | active | — | — | — |
| go1.22 | active | — | — | — |
| go1.23 | active | — | — | — |
Root Cause
The TLS certificate presented by the server is outside its validity window, either expired or not yet active.
generic中文
服务器提供的 TLS 证书不在其有效期内,要么已过期,要么尚未激活。
Official Documentation
https://pkg.go.dev/crypto/tls#ConfigWorkarounds
-
95% success Renew the certificate on the server side, or update the client's CA pool if using custom CA: tls.Config{RootCAs: x509.NewCertPool()}
Renew the certificate on the server side, or update the client's CA pool if using custom CA: tls.Config{RootCAs: x509.NewCertPool()} -
80% success If testing locally, generate a new self-signed certificate with later expiry: go run crypto/tls/generate_cert.go --host localhost
If testing locally, generate a new self-signed certificate with later expiry: go run crypto/tls/generate_cert.go --host localhost
中文步骤
在服务器端续期证书,或如果使用自定义 CA 则更新客户端的 CA 池:tls.Config{RootCAs: x509.NewCertPool()}如果在本地测试,生成新的自签名证书并设置较晚过期时间:go run crypto/tls/generate_cert.go --host localhost
Dead Ends
Common approaches that don't work:
-
Setting InsecureSkipVerify: true in tls.Config
90% fail
Bypasses all certificate validation, exposing to MITM attacks; not a real fix, just a dangerous workaround.
-
Updating system clock without checking timezone
60% fail
If the certificate is genuinely expired, changing clock doesn't fix; also causes other issues.