{
  "id": "go/net-http-tls-handshake-error-certificate-validity",
  "signature": "tls: failed to verify certificate: x509: certificate has expired or is not yet valid",
  "signature_zh": "tls: 验证证书失败：x509: 证书已过期或尚未生效",
  "regex": "tls: failed to verify certificate: x509: certificate has expired or is not yet valid",
  "domain": "go",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "The TLS certificate presented by the server is outside its validity window, either expired or not yet active.",
  "root_cause_type": "generic",
  "root_cause_zh": "服务器提供的 TLS 证书不在其有效期内，要么已过期，要么尚未激活。",
  "versions": [
    {
      "version": "go1.21",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "go1.22",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "go1.23",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Setting InsecureSkipVerify: true in tls.Config",
      "why_fails": "Bypasses all certificate validation, exposing to MITM attacks; not a real fix, just a dangerous workaround.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "Updating system clock without checking timezone",
      "why_fails": "If the certificate is genuinely expired, changing clock doesn't fix; also causes other issues.",
      "fail_rate": 0.6,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Renew the certificate on the server side, or update the client's CA pool if using custom CA: tls.Config{RootCAs: x509.NewCertPool()}",
      "success_rate": 0.95,
      "how": "Renew the certificate on the server side, or update the client's CA pool if using custom CA: tls.Config{RootCAs: x509.NewCertPool()}",
      "condition": "",
      "sources": []
    },
    {
      "action": "If testing locally, generate a new self-signed certificate with later expiry: go run crypto/tls/generate_cert.go --host localhost",
      "success_rate": 0.8,
      "how": "If testing locally, generate a new self-signed certificate with later expiry: go run crypto/tls/generate_cert.go --host localhost",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "在服务器端续期证书，或如果使用自定义 CA 则更新客户端的 CA 池：tls.Config{RootCAs: x509.NewCertPool()}",
    "如果在本地测试，生成新的自签名证书并设置较晚过期时间：go run crypto/tls/generate_cert.go --host localhost"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://pkg.go.dev/crypto/tls#Config",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.75,
  "resolvable": "partial",
  "first_seen": "2024-01-10",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}