OpenSSL: certificate has expired

OpenSSL produces "verify error:num=10:certificate has expired" when the server's leaf certificate or an intermediate CA certificate in the chain has passed its notAfter validity date.

When OpenSSL Produces This Error

OpenSSL displays "certificate has expired" during openssl s_client -connect or openssl verify when any certificate in the chain is past its expiration date. The error appears as verify error:num=10.

What Causes "certificate has expired" in OpenSSL

The leaf certificate has passed its notAfter date. Let's Encrypt certificates expire after 90 days. Certificates from commercial CAs typically expire after 1 year. If automatic renewal via Certbotis not configured or has failed, the certificate expires without warning.

An intermediate CA certificate in the chain has expired. This is less common but occurs when a CA rotates its intermediate certificates and the server still serves the old one.

The client system's clock is incorrect. OpenSSL compares certificate dates against the system clock. A clock set far in the past or future causes valid certificates to appear expired.

How to Fix "certificate has expired" in OpenSSL

1. Check the system clock for accuracy:

date -u

2. Inspect the certificate's expiration date:

openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -noout -dates

3. Renew the certificate with Certbot:

sudo certbot renew

4. Restart the web server to load the renewed certificate:

sudo systemctl restart nginx

How to Verify the Fix

OpenSSL shows a verify return code of 0 and the new notAfter date:

openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -noout -dates

Related OpenSSL Errors

OpenSSL: unable to get local issuer certificate— a chain completeness error, not an expiration error. Certbot: Certificate not yet due for renewal— Certbot's default threshold is 30 days before expiry.