SharePoint 2013: A required certificate is not within its validity period

Problem

You are performing a routine check on your farm's Search service crawl history and you discover that incremental crawls are generating increasing errors.  It is a Tuesday.  Reviewing crawl history, you found that beginning at 12:55 PM on Monday, errors began increasing during incremental crawls.  Incremental crawls are configured on your farm to run every 15 minutes, from 4 AM for 16 hours, Mon-Sat. From 11 errors at 12:55 PM, Monday, it went to 21 errors by 7:40 PM that same day.  By Tuesday, 11:11 AM, 40 errors encountered during incremental crawls.  This is a two-tier, two server farm, externally-facing.  SharePoint Server 2013 Enterprise, patched current.  Tumbleweed standard is installed on all farm servers.

Troubleshooting

1. Check Central Administration Problems and Solutions report: found nothing related to crawling or search.
2. Check server event logs: found that beginning at 12:55:32 PM, Monday, the following appears in batches of 5 or so, every 10-15 minutes:

   Log Name:      Application
   Source:        Microsoft-SharePoint Products-SharePoint Foundation
   Date:          Monday 12:55:33 PM
   Event ID:      8311
   Task Category: Topology
   Level:         Error
   Keywords:      
   User:          DOMAIN\spContent
   Computer:      [SharePoint server]
   Description:
   An operation failed because the following certificate has validation errors:
   
   Subject Name: CN=[domain name], OU=[organization], O=[company], L=[city], 
   S=[state], C=[country]
   Issuer Name: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust 
   Network, O=Symantec Corporation, C=[country]
   Thumbprint: [thumbprint]
   
   Errors:
   
    NotTimeValid: A required certificate is not within its validity period 
   when verifying against the current system clock or the timestamp in the 
   signed file.
   .
   Event Xml:
   ...
   

   followed by

   Log Name:      Application
   Source:        Microsoft-SharePoint Products-SharePoint Foundation
   Date:          Monday 12:57:38 PM
   Event ID:      2159
   Task Category: Unified Logging Service
   Level:         Error
   Keywords:      
   User:          DOMAIN\spSearch
   Computer:      [server]
   Description:
   Event 8311 (SharePoint Foundation) of severity 'Error' occurred 15 
   more time(s) and was suppressed in the event log
   Event Xml:
   ...
   

3. Check Site Access: you open a browser and try connecting to the root farm content site.  The connection is successful and the landing page displays without issue.  Checking the URL's certificate status, you find that the certificate is valid and no issues.  Customer access to their content is unaffected.
4. Check Search Index: you perform a simple search and find search results returned as expected.  Customer search capability is not affected.  However, you are aware that new content will not be searchable.
5. Perform Literature Search: searched on event message text and found a number of postings related.  Most postings indicated the current issue involved expired certificates.  However, the certificate in this case was valid and within its date range.
6. Check IIS Server Certificates: you found two certificates for the web server, the one you installed and a new one.  The existing one expired Tuesday, today.  The new one is valid beginning Sunday.  Thus there is overlap between the certificate that expired and the certificate that was newly installed.  You check with the lead sysadmin, who informs you that he installed certificates the Friday previous.
7. Check Crawl History Again: checking crawl history again later, you find that crawl errors began to decrease 2:08 PM the same day, and that by 2:15 PM crawls were completing successfully as they had previously.

Solution

1. Check site access and searchability of existing content: if these are successful then you need not worry about customer site access and searchability of existing content.
2. Do nothing: If after checking certificate expiration, you find that it is valid, it may be that some caching is involved and that it will take awhile for old certificate information to be flushed and new certificate information recognized by Search crawler.

References

• Sharepoint and SSRS report trust relationship ssl/tls secure channel remote certificate is invalid
• IIS: Make sure that your certificates are current
• "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." when installing a program.
• Troubleshooting Certificate Validation Errors
• Tumbleweed Desktop Validator
• Setup SSL in SharePoint 2013
• How to: View Certificates with the MMC Snap-in