# tls: failed to verify certificate: x509: certificate has expired or is not yet valid

- **ID:** `go/net-http-tls-handshake-error-certificate-validity`
- **Domain:** go
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 75%

## Root Cause

The TLS certificate presented by the server is outside its validity window, either expired or not yet active.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| go1.21 | active | — | — |
| go1.22 | active | — | — |
| go1.23 | active | — | — |

## Workarounds

1. **Renew the certificate on the server side, or update the client's CA pool if using custom CA: tls.Config{RootCAs: x509.NewCertPool()}** (95% success)
   ```
   Renew the certificate on the server side, or update the client's CA pool if using custom CA: tls.Config{RootCAs: x509.NewCertPool()}
   ```
2. **If testing locally, generate a new self-signed certificate with later expiry: go run crypto/tls/generate_cert.go --host localhost** (80% success)
   ```
   If testing locally, generate a new self-signed certificate with later expiry: go run crypto/tls/generate_cert.go --host localhost
   ```

## Dead Ends

- **Setting InsecureSkipVerify: true in tls.Config** — Bypasses all certificate validation, exposing to MITM attacks; not a real fix, just a dangerous workaround. (90% fail)
- **Updating system clock without checking timezone** — If the certificate is genuinely expired, changing clock doesn't fix; also causes other issues. (60% fail)