{ "id": "nginx/ssl-certificate-not-yet-valid", "signature": "SSL: certificate not yet valid: certificate is not valid until date", "signature_zh": "SSL 证书尚未生效:证书在指定日期之前无效", "regex": "SSL: certificate not yet valid: certificate is not valid until", "domain": "nginx", "category": "auth_error", "subcategory": null, "root_cause": "The SSL/TLS certificate used by nginx has a notBefore date in the future, so the system clock is ahead or the certificate is not yet valid.", "root_cause_type": "generic", "root_cause_zh": "nginx 使用的 SSL/TLS 证书的 notBefore 日期在未来,系统时钟过快或证书尚未生效。", "versions": [ { "version": "nginx/1.24.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx/1.22.1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The certificate file itself is invalid; reloading does not change its notBefore date.", "fail_rate": 0.95, "condition": "", "sources": [] }, { "action": "", "why_fails": "This controls client certificate verification, not server certificate validity.", "fail_rate": 0.85, "condition": "", "sources": [] }, { "action": "", "why_fails": "This is a temporary workaround that breaks other time-sensitive services and is not a real fix.", "fail_rate": 0.6, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Regenerate the certificate with a correct notBefore date using openssl: openssl x509 -req -in mydomain.csr -signkey mydomain.key -out mydomain.crt -days 365 -startdate $(date -d 'yesterday' +%Y%m%d%H%M%S)Z", "success_rate": 0.95, "how": "Regenerate the certificate with a correct notBefore date using openssl: openssl x509 -req -in mydomain.csr -signkey mydomain.key -out mydomain.crt -days 365 -startdate $(date -d 'yesterday' +%Y%m%d%H%M%S)Z", "condition": "", "sources": [] }, { "action": "Verify system date with command 'date' and synchronize using NTP: sudo timedatectl set-ntp true && sudo systemctl restart nginx", "success_rate": 0.8, "how": "Verify system date with command 'date' and synchronize using NTP: sudo timedatectl set-ntp true && sudo systemctl restart nginx", "condition": "", "sources": [] }, { "action": "Obtain a new certificate from Let's Encrypt with certbot: sudo certbot renew --force-renewal", "success_rate": 0.9, "how": "Obtain a new certificate from Let's Encrypt with certbot: sudo certbot renew --force-renewal", "condition": "", "sources": [] } ], "workarounds_zh": [ "Regenerate the certificate with a correct notBefore date using openssl: openssl x509 -req -in mydomain.csr -signkey mydomain.key -out mydomain.crt -days 365 -startdate $(date -d 'yesterday' +%Y%m%d%H%M%S)Z", "Verify system date with command 'date' and synchronize using NTP: sudo timedatectl set-ntp true && sudo systemctl restart nginx", "Obtain a new certificate from Let's Encrypt with certbot: sudo certbot renew --force-renewal" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://nginx.org/en/docs/http/ngx_http_ssl_module.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.92, "resolvable": "true", "first_seen": "2024-01-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }