nginx auth_error ai_generated true

SSL: certificate not yet valid: certificate is not valid until date

ID: nginx/ssl-certificate-not-yet-valid

Also available as: JSON · Markdown · 中文
92%Fix Rate
88%Confidence
1Evidence
2024-01-10First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
nginx/1.24.0 active
nginx/1.22.1 active

Root Cause

The SSL/TLS certificate used by nginx has a notBefore date in the future, so the system clock is ahead or the certificate is not yet valid.

generic

中文

nginx 使用的 SSL/TLS 证书的 notBefore 日期在未来,系统时钟过快或证书尚未生效。

Official Documentation

https://nginx.org/en/docs/http/ngx_http_ssl_module.html

Workarounds

  1. 95% success Regenerate the certificate with a correct notBefore date using openssl: openssl x509 -req -in mydomain.csr -signkey mydomain.key -out mydomain.crt -days 365 -startdate $(date -d 'yesterday' +%Y%m%d%H%M%S)Z 
    Regenerate the certificate with a correct notBefore date using openssl: openssl x509 -req -in mydomain.csr -signkey mydomain.key -out mydomain.crt -days 365 -startdate $(date -d 'yesterday' +%Y%m%d%H%M%S)Z
  2. 80% success Verify system date with command 'date' and synchronize using NTP: sudo timedatectl set-ntp true && sudo systemctl restart nginx 
    Verify system date with command 'date' and synchronize using NTP: sudo timedatectl set-ntp true && sudo systemctl restart nginx
  3. 90% success Obtain a new certificate from Let's Encrypt with certbot: sudo certbot renew --force-renewal 
    Obtain a new certificate from Let's Encrypt with certbot: sudo certbot renew --force-renewal

中文步骤

  1. Regenerate the certificate with a correct notBefore date using openssl: openssl x509 -req -in mydomain.csr -signkey mydomain.key -out mydomain.crt -days 365 -startdate $(date -d 'yesterday' +%Y%m%d%H%M%S)Z
  2. Verify system date with command 'date' and synchronize using NTP: sudo timedatectl set-ntp true && sudo systemctl restart nginx
  3. Obtain a new certificate from Let's Encrypt with certbot: sudo certbot renew --force-renewal

Dead Ends

Common approaches that don't work:

  1. 95% fail

    The certificate file itself is invalid; reloading does not change its notBefore date.

  2. 85% fail

    This controls client certificate verification, not server certificate validity.

  3. 60% fail

    This is a temporary workaround that breaks other time-sensitive services and is not a real fix.