SSL: CERTIFICATE_VERIFY_FAILED: certificate has expired
SSL: CERTIFICATE_VERIFY_FAILED: certificate has expired
DodaTech
2 min read
The error “SSL: CERTIFICATE_VERIFY_FAILED: certificate has expired” means the server’s SSL/TLS certificate is no longer within its validity period. The notBefore and notAfter dates indicate the certificate is stale.
What It Means
Every X.509 certificate has a defined validity window: notBefore (start date) and notAfter (end date). When a client connects and the current system time is outside this window, TLS handshake fails with a certificate expired error. The connection is aborted before any data is exchanged.
Why It Happens
- The certificate was not renewed before it expired.
- The system clock on the client or server is incorrect (too far in the past or future).
- The server is presenting an old certificate after renewal failed or was not applied.
- An automatic renewal system (e.g., certbot) is not running or is misconfigured.
- The certificate was issued for a short validity period (e.g., 90 days for Let’s Encrypt) and was not renewed in time.
How to Fix It
1. Check the certificate expiration date
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates2. Renew a Let’s Encrypt certificate
sudo certbot renew
sudo systemctl reload nginx3. Force renewal if the certificate is already expired
sudo certbot renew --force-renewal4. Check the system date on both sides
date
sudo systemctl status ntp5. Generate a new self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesFAQ
Previous
Redis: max number of clients reached
Next
Timeout (12s) waiting for privilege escalation prompt
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro