SEC_ERROR_EXPIRED_CERTIFICATE

What Does SEC_ERROR_EXPIRED_CERTIFICATE Mean?

SEC_ERROR_EXPIRED_CERTIFICATE is Firefox's specific error message for an expired SSL/TLS certificate. While Chrome displays ERR_CERT_DATE_INVALID, Firefox uses this more descriptive error code that clearly identifies the problem as an expired certificate. The error appears when the current date falls outside the certificate's validity period.

Every SSL certificate has a 'Not Before' and 'Not After' date that defines its validity window. When you visit a website, Firefox checks the certificate's 'Not After' date against your system clock. If the certificate's expiration date has passed, Firefox blocks the connection and displays this error with details about when the certificate expired.

Firefox provides particularly helpful error information, showing the exact certificate details including the issuer, subject, and expiration dates. This makes it easier to diagnose whether the issue is a genuinely expired certificate or a system clock problem. Firefox also displays whether the certificate expired recently or long ago, which helps determine the urgency of the issue.

Common Causes

The most straightforward cause is that the website's SSL certificate has genuinely expired. Certificate administrators may have forgotten to renew, automatic renewal may have failed (common with Let's Encrypt if Certbot is misconfigured or the server is unreachable), or the renewal was completed but the new certificate was not installed on the server.

An incorrect system clock on the user's computer is the second most common cause. Firefox compares the certificate dates against the local system time. If the computer's clock is set to a date after the certificate's expiration (or before its issuance date), this error appears even for valid certificates. Dead CMOS batteries, virtual machine clock drift, and manual time changes can all cause this.

Intermediate certificate expiration can also trigger this error. Even if the server's certificate is valid, an expired intermediate CA certificate in the chain causes the entire chain to be considered invalid. This scenario is particularly tricky because the server administrator may see a valid server certificate but miss that the intermediate has expired. Root certificate store issues on the client side can have similar effects.

Step-by-Step Fix

For Firefox users: Click the 'Advanced' button on the error page to see the certificate details and exact expiration date. First, verify your computer's date and time are correct. On Windows, check Settings > Time & Language. On macOS, check System Preferences > Date & Time. On Linux, run 'timedatectl' to verify. If your clock is correct, the certificate is genuinely expired.

You can add a temporary exception in Firefox by clicking Advanced > Accept the Risk and Continue, but this is not recommended for sensitive websites. To clear Firefox's certificate cache, go to Settings > Privacy & Security > Certificates > View Certificates and check the 'Authorities' and 'Servers' tabs for relevant entries. You can also try clearing Firefox's cache completely.

For website administrators: Immediately renew and install a new certificate. For Let's Encrypt, run: 'certbot renew --force-renewal'. For other CAs, go through their renewal process. After installation, restart your web server and verify with: 'openssl s_client -connect yourdomain.com:443 | openssl x509 -noout -dates'. Set up monitoring to prevent future expirations - use tools like certbot-auto, cron jobs, or monitoring services that alert before expiration.

Related SSL Errors