Back to blog

SSL Certificate Expired - What Happens and How to Fix It

7 min read
Share:
Warning sign representing expired SSL certificate security alert

Your site is showing a scary browser warning. Visitors can't access your pages. You check the error and there it is: "NET::ERR_CERT_DATE_INVALID" or "Your connection is not private." Your SSL certificate has expired.

Don't panic. This is fixable, usually within minutes if you know what to do. Let's walk through it.

What happens when SSL expires

When your SSL certificate passes its expiration date, browsers stop trusting it immediately. Here's what visitors see:

Chrome: A full-page warning with "Your connection is not private" and a big red warning icon. Users have to click through "Advanced" and then "Proceed anyway" to access your site—most won't bother.

Firefox: "Warning: Potential Security Risk Ahead" with technical details about the expired certificate.

Safari: "This Connection Is Not Private" with the option to show details or go back.

The damage isn't just about visitor experience. Here's what else breaks:

  • SEO rankings drop — Google considers HTTPS a ranking factor. An invalid SSL hurts your position.
  • Forms stop working safely — Browsers block password and credit card submissions on insecure pages.
  • API integrations fail — Services calling your endpoints will get certificate errors and fail.
  • Customer trust tanks — Even if visitors click through the warning, they'll think twice about entering any data.
  • Revenue loss — E-commerce sites see immediate drops in conversions.

One day of an expired certificate can cost you significantly more than a year of SSL fees. I've seen businesses lose thousands in sales from a forgotten renewal.

Check if your certificate is actually expired

First, confirm the issue. Visit your site and check the browser error. Then run a quick check with our SSL Checker—it'll tell you exactly when your certificate expired and what needs fixing.

You can also check from the command line:

echo | openssl s_client -connect yoursite.com:443 2>/dev/null | openssl x509 -noout -dates

This shows your certificate's validity period. If notAfter is in the past, you've confirmed the problem.

How to renew your SSL certificate

The renewal process depends on how you got your certificate in the first place.

Let's Encrypt (certbot)

If you're using Let's Encrypt with certbot, renewal should be automatic. Something broke in your automation. First, try a manual renewal:

sudo certbot renew

If that works, check why auto-renewal failed:

sudo certbot renew --dry-run

The dry run will show errors without actually changing anything. Common issues:

  • Port 80 blocked — Certbot needs to verify domain ownership via HTTP. Make sure your firewall allows port 80.
  • Wrong webroot — If you moved your site, certbot might be writing challenge files to the wrong directory.
  • DNS issues — If you use DNS validation, your DNS provider credentials might have changed.

Once you've fixed the issue, make sure the renewal timer is running:

sudo systemctl status certbot.timer

Or check your crontab for certbot entries.

cPanel / Plesk hosting

Most managed hosting handles SSL automatically these days. Log into your control panel and look for:

  • cPanel: Security → SSL/TLS Status. Check if AutoSSL is enabled.
  • Plesk: Websites & Domains → SSL/TLS Certificates. Look for Let's Encrypt or your CA.

If auto-renewal is enabled but failed, you might need to revalidate your domain or check that your domain is pointing to the right server.

For cPanel specifically, you can force AutoSSL to run:

  1. Go to SSL/TLS Status
  2. Click "Run AutoSSL"
  3. Wait for it to complete

Commercial CA (DigiCert, Comodo, Sectigo, etc.)

Paid certificates typically require manual renewal:

  1. Log into your CA's dashboard — You should have received renewal emails (check spam).
  2. Generate a new CSR — You'll need a Certificate Signing Request from your server.
  3. Complete domain validation — Usually email, DNS, or file-based.
  4. Download and install — Replace your old certificate files.

The exact steps vary by CA, but they all have documentation. If you're in a hurry and your CA has slow support, consider switching to Let's Encrypt for the short term.

Cloudflare

If you're using Cloudflare's Universal SSL, it should renew automatically. If it expired:

  1. Check that your domain's nameservers are still pointing to Cloudflare
  2. Go to SSL/TLS → Edge Certificates
  3. Look for the Universal SSL status
  4. If there's an issue, try disabling and re-enabling Universal SSL

For Cloudflare Origin certificates (used between Cloudflare and your origin server), you'll need to generate a new one from the dashboard.

Step-by-step emergency fix

Here's the fastest path to getting back online:

Step 1: Confirm the expiry with our SSL Checker.

Step 2: Identify your certificate provider. Check your server config or hosting dashboard.

Step 3: For Let's Encrypt, run sudo certbot renew. For hosting, check your control panel. For commercial CAs, log into their portal.

Step 4: If you can't renew immediately, you have two temporary options:

  • Disable HTTPS — Not recommended, but if your site is completely down, switching to HTTP temporarily might be better than nothing. Just know this breaks SEO and security.
  • Use Cloudflare — Put Cloudflare in front of your site. Their free tier includes SSL and can buy you time while you sort out your origin certificate.

Step 5: After renewal, clear your browser cache and verify with the SSL checker again.

Why did this happen?

Understanding the root cause prevents future headaches:

  • No auto-renewal configured — If you manually installed a certificate, you need to manually renew it. Set up automation.
  • Email went to spam — Renewal reminders from your CA probably went unread. Whitelist their domain.
  • Staff changes — The person who handled SSL left and no one took over the responsibility.
  • Domain ownership changed — If you switched registrars or your WHOIS info changed, validation emails might be going to the wrong place.
  • Server moved — You migrated servers but forgot to set up SSL on the new one.

Preventing future expiry

Here's how to make sure this doesn't happen again:

Set up monitoring

External monitoring tools check your SSL certificate daily and alert you before expiry:

  • Uptime Robot — Free tier includes SSL monitoring
  • StatusCake — Similar to Uptime Robot
  • Pingdom — More features, paid
  • DIY scripts — Check SSL expiry with a cron job and email alerts

At minimum, set calendar reminders 30 days and 7 days before expiry.

Use Let's Encrypt with auto-renewal

If you're not already, switch to Let's Encrypt. It's free, trusted by all browsers, and designed for automatic renewal. Certbot handles everything if configured correctly.

The 90-day certificate lifetime sounds like a hassle, but it's actually a feature—short-lived certificates are more secure, and the automation means you never think about it.

Document your SSL setup

Write down:

  • What type of certificate you have
  • Where it was purchased/issued
  • When it expires
  • How to renew it
  • Who's responsible for it

Put this somewhere your team can find it. Future you will thank present you.

Test your automation

At least once a quarter, run:

sudo certbot renew --dry-run

This catches problems before they become emergencies.

Summary

An expired SSL certificate is stressful but fixable. The key steps:

  1. Confirm the issue with an SSL Checker
  2. Identify your certificate provider
  3. Run renewal (certbot, control panel, or CA dashboard)
  4. Set up monitoring to prevent future expiry

If you're currently locked out of your site, focus on getting the renewal done first. You can optimize your setup later. For most hosting environments, this is a five-minute fix once you know where to look.

Found this helpful? Share it with others.

Share:

Ready to block AI crawlers?

Use our free generators to create your blocking rules in seconds.

robots.txt Generator.htaccess Generator