0

I have a digitalocean server (ubuntu 16.4 nginx) + serverpilot I installed letsencrypt Following the site tutorial: https: //www.robertwent.com/blog/using-letsencrypt-serverpilot/

Everything worked out, the result was this: https://testelcon2.tk

The problem: The site works with ssl installed on all desktop browsers However, in mobile android browsers it does not work. The error message I receive is a red padlock and the message: NET: ERR_CERT_DATE_INVALID

I tested other sites I found on the internet to see if the problem was only with my site, and they all work normally in my mobile browser (Chrome, Safari and native browser)

I am 4 days trying to solve this problem, but without success. What could be happening? What did I do wrong? Can someone check for me? My android version: 5.1.1 (Samsung J2)

Test results

Community
  • 1
user7082272
  • 1
  • 1
  • Does your phone somehow have the wrong date set? https://www.ssllabs.com/ssltest/analyze.html?d=testelcon2.tk&hideResults=on&latest suggests the cert itself is ok and no issues on its simulated test other than the lack of SNI support in oooold versions of XP and java – Journeyman Geek Nov 11 '17 at 02:46
  • Hello, yes, the phone has the wrong date. However, all the sites with "ssl" that I tested work correctly, even with the wrong date. I have accessed the most diverse sites on the internet, and everyone is ok, I can access them. Only my site does not work (https://testelcon2.tk) Why does this happen? Why do all sites work with the wrong date and my site does not? – user7082272 Nov 11 '17 at 02:53
  • Set the right date. And/or include how wrong the date is. But SSL *is* reliant on revocation dates and LE has a *uniquely* short certificate renewal period so... yeah, this smells like this is by design – Journeyman Geek Nov 11 '17 at 03:07
  • Hello, The date and year on my cell phone are correct, only the time is delayed (in 5 hours.) – user7082272 Nov 11 '17 at 03:39

2 Answers2

4

Bad time on phone

  • Short answer: just fix the time on your phone.

  • Long answer: see below.

I'm only guessing here. But this is what can happen with very fresh (just issued) certs: they can be out of validity.

But not in the way that you usually encounter in the wild, namely: EXPIRED certs but the other way round: NOT YET VALID certs.

And since you say that other sites worked just fine, then I'm guessing that this is what happened on your phone: according to the phone's clock that cert was not valid yet.

BUT: since you said the clock was not a full day off target and some time has passed: try again. If my guess was correct, then it should work now.

As an aside: cert issuers are are aware of this issue and sometimes BACKDATE the validity date to work around this issue.

Let's Encrypt seems to backdate by one hour. See:

Community
  • 1
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
  • Hello, you're right! The reason for the problem is that the certificate was newly created (11/09/2017), so the browser could not recognize the validity of the certificate. I checked the site on my phone today (11/11/2017) and it's working. It looks like the browser checked the validity of the certificate. All right ! The problem is solved ! Thank you for your help ! – user7082272 Nov 11 '17 at 19:16
0

A little understanding (and perhaps my own laziness in letting my certs elapse in the past) is useful in understanding what the error means.

NET: ERR_CERT_DATE_INVALID

Indicates that, well, there's something fishy about the expiry date. Since it works on a desktop, and not your phone, we can rule out there's something wrong with the cert itself.

This would indicate the date on your phone is wrong, and as such your phone believes the cert is expired, or issued in the future.

Presumably these "all the sites" have expiry dates that fall within the current phone nonstandard time/data and the browser dosen't find anything out of place with them. Without exact dates - I'd suspect that you're more than 3 months in the future, and other sites have longer expiry periods than LE's 3 months

Journeyman Geek
  • 309
  • 3
  • 11
  • Hello, The date and year on my cell phone are correct, only the time is delayed (in 5 hours.) .The certificate I installed on my site ttps: //testelcon2.tk, expires only in February. I tested some sites with letsencrypt, and with short expiration deadlines and, they all work correctly on my phone. An example: https: //www.ssllabs.com/ssltest/analyze.html? D = https: //www.ondehospedar.com.br/ It is only 28 days before the certificate expires, and still works correctly.   Why is this happening? – user7082272 Nov 11 '17 at 03:38