Wi-Fi networks without internet access (ERROR dnsproxy: exchange failed, tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time)

Some time ago, I have created a few Wi-Fi networks that were working totally fine. I have also set up AdGuard Home. That was working totally fine too. A few days ago, I saw my Wi-Fi networks are working, but I have no access to the internet anymore. I have checked that all disk space on my router was used, so I thought that this may cause an issue somehow. I have checked my router and I spotted that I was never clearing AdGuard Home logs, so I have decided to remove the logs and restart AdGuard Home. While restarting, I have spotted, there is a dnsproxy error all the time:

2025/01/06 21:36:23.515724 [error] dnsproxy: exchange failed upstream=https://dns.google:443/dns-query question=";www.reddit.com.\tIN\t AAAA" duration=34.280154ms err="requesting https://dns.google:443/dns-query: Get \"https://dns.google:443/dns-query?dns=AAABAAABAAAAAAABA3d3dwZyZWRkaXQDY29tAAAcAAEAACkIAAAAgAAAAA\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-01-06T21:36:23Z is before 2025-01-20T08:37:58Z"
2025/01/06 21:36:23.520765 [error] dnsproxy: exchange failed upstream=https://dns.google:443/dns-query question=";www.youtube.com.\tIN\t AAAA" duration=32.014308ms err="requesting https://dns.google:443/dns-query: Get \"https://dns.google:443/dns-query?dns=AAABAAABAAAAAAABA3d3dwd5b3V0dWJlA2NvbQAAHAABAAApCAAAAIAAAAA\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-01-06T21:36:23Z is before 2025-01-20T08:37:58Z"
2025/01/06 21:36:23.532646 [error] dnsproxy: exchange failed upstream=https://dns.cloudflare.com:443/dns-query question=";www.reddit.com.\tIN\t AAAA" duration=16.733923ms err="requesting https://dns.cloudflare.com:443/dns-query: Get \"https://dns.cloudflare.com:443/dns-query?dns=AAABAAABAAAAAAABA3d3dwZyZWRkaXQDY29tAAAcAAEAACkIAAAAgAAAAA\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-01-06T21:36:23Z is before 2025-01-28T23:34:55Z"
2025/01/06 21:36:23.537835 [error] dnsproxy: exchange failed upstream=https://dns.cloudflare.com:443/dns-query question=";www.youtube.com.\tIN\t AAAA" duration=16.881462ms err="requesting https://dns.cloudflare.com:443/dns-query: Get \"https://dns.cloudflare.com:443/dns-query?dns=AAABAAABAAAAAAABA3d3dwd5b3V0dWJlA2NvbQAAHAABAAApCAAAAIAAAAA\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-01-06T21:36:23Z is before 2025-01-28T23:34:55Z"

I have checked are my DNS addresses I have put in AdGuard Home config are correct, and they are (I have crossed checked with the official website provided by AdGuard). So now I am confused, and I do not know what could change that all my Wi-Fi networks stopped working all in the sodden. I have also checked and when I try wire connection to my router, then I do have the internet, so there is an issue only with the Wi-Fi. Can you please help me with resolving and understating why this could happen?

Below I put all the data I think can be useful. If you need anything else, please let me know in the comments.

Router Model: Banana PI R3

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd90:5d4d:1cd5::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'sfp2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'wan'

config device
        option name 'eth1'
        option macaddr '5e:d1:6c:6e:ba:b7'

config device
        option name 'wan'
        option macaddr '5e:d1:6c:6e:ba:b7'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'
        option peerdns '0'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-iot'
        option bridge_empty '1'

config interface 'iot'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '0'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option noresolv '0'
        option cachesize '1000'
        option port '54'
        list server '192.168.1.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '24'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.1'
        list dhcp_option '3,192.168.1.1'
        list dns 'fd90:5d4d:1cd5::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.1'
        list dhcp_option '3,192.168.2.1'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.1'
        list dhcp_option '3,192.168.3.1'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'kk-private'
        option encryption 'sae'
        option key 'some-password'
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option disabled '0'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'kk-private-5ghz'
        option encryption 'sae'
        option key 'some-password'
        option ocv '0'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'ap'
        option ssid 'kk-guest'
        option encryption 'sae'
        option network 'guest'
        option key 'some-password'
        option ocv '0'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'kk-iot'
        option encryption 'psk-mixed'
        option network 'iot'
        option key 'some-password'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'allow-dns-guest'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'allow-dhcp-guest'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'allow-dns-iot'
        option src 'iot'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'allow-dhcp-iot'
        list proto 'udp'
        option src 'iot'
        option dest_port '67'
        option target 'ACCEPT'

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config forwarding
        option src 'iot'
        option dest 'wan'

/etc/adguardhome.yaml

http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:53
  session_ttl: 720h
users:
  - name: some-username
    password: some-password
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  anonymize_client_ip: false
  ratelimit: 20
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - https://dns10.quad9.net/dns-query
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  fallback_dns: []
  upstream_mode: load_balance
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: false
  local_ptr_upstreams: []
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
  hostsfile_enabled: true
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  dir_path: ""
  ignored: []
  interval: 2160h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  dir_path: ""
  ignored: []
  interval: 24h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: false
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: UTC
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    ecosia: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safe_fs_patterns:
    - /tmp/adguardhome/userfilters/*
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log:
  enabled: true
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 29

Okay, so the fix to this issue was pretty simple.
My system time set on the router was incorrect. How to fix this issue:

Check system time and ensure it is correct:|

root@OpenWrt:~# date
Mon Feb  3 18:39:32 CET 2025 // some incorrect date

Then set correct system time

date -s "2025-02-03 12:00:00" // correct date

Restart AdGuard Home:

service adguardhome restart

Or if you have issues with restarting using the service command kill AdGuard process and start AdGuard from directory

cd /usr/bin
./AdGuardHome

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.