When Spark connects to a server, it can use TLS. When that happens, the certificate chain as presented by the server is validated.
A certificate has a time period in which it is valid: can have expired or not be valid yet. Typically, certificate validation should fail if the certificate offered by the server is not valid.
Spark has an option to ignore date/time-type certificate validation, allowing a certificate that is expired (or not valid yet) to be used, assuming that it meets all other validation criteria. This configuration option is currently not working properly: even when enabled, it will still reject a certificate that's not valid.
Note that this bug was obscured by another issue that got recently fixed, most likely SPARK-2185.