go
auth_error
ai_generated
partial
tls: 验证证书失败:x509: 证书已过期或尚未生效
tls: failed to verify certificate: x509: certificate has expired or is not yet valid
ID: go/net-http-tls-handshake-error-certificate-validity
75%修复率
88%置信度
1证据数
2024-01-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| go1.21 | active | — | — | — |
| go1.22 | active | — | — | — |
| go1.23 | active | — | — | — |
根因分析
服务器提供的 TLS 证书不在其有效期内,要么已过期,要么尚未激活。
English
The TLS certificate presented by the server is outside its validity window, either expired or not yet active.
官方文档
https://pkg.go.dev/crypto/tls#Config解决方案
-
在服务器端续期证书,或如果使用自定义 CA 则更新客户端的 CA 池:tls.Config{RootCAs: x509.NewCertPool()} -
如果在本地测试,生成新的自签名证书并设置较晚过期时间:go run crypto/tls/generate_cert.go --host localhost
无效尝试
常见但无效的做法:
-
Setting InsecureSkipVerify: true in tls.Config
90% 失败
Bypasses all certificate validation, exposing to MITM attacks; not a real fix, just a dangerous workaround.
-
Updating system clock without checking timezone
60% 失败
If the certificate is genuinely expired, changing clock doesn't fix; also causes other issues.