~/blog / ssl-certificate-expired

SSL certificate expired — what to do right now

// published 2026-04-17

Your SSL certificate expired and users are seeing a scary browser warning. The site looks broken, support tickets are piling up, and search engines are about to drop your rankings. Here's what to do in the order that actually matters.

Confirm the expiry first

Run a quick check before you panic — the "expired" warning can also mean a mis-issued intermediate or a clock problem on the client. Visit the site in a browser, click the lock (or broken lock) icon, and look at the certificate detail. Or just paste the domain into an SSL Checker — it'll report the exact not_after date and the chain state.

If the expiry is truly in the past: fine, we have work to do. If it's a chain error (e.g. missing intermediate), the fix is different — just re-install the full chain bundle and skip to the "deploy" section below.

Issue a new certificate

For most setups, you have one of three paths:

Let's Encrypt / certbot: run sudo certbot renew. If it fails with a rate-limit error, you've been hammering it — wait an hour and retry, or use the --dry-run flag to debug first.
Cloud-managed (Cloudflare, AWS ACM, Vercel): the platform auto-renews. If it didn't, something is wrong with your DNS validation — CNAMEs pointing at the wrong target is the most common cause.
Manual / paid CA: re-submit your CSR to the CA. Keep the same private key so existing HPKP pins (if any) don't break; generate a new CSR if you want a fresh key.

Deploy and validate

Re-installing the cert is half the job — the other half is making sure every server actually serves the new one. Common traps:

Multiple origins: if you run several web servers behind a load balancer, update each one. Rolling restarts hide stale certs.
CDN edge caching: Cloudflare, Fastly, CloudFront cache the origin cert. Trigger a cache purge or wait out the TTL.
Reverse proxies: nginx needs nginx -s reload, Apache needs apachectl -k graceful. A full restart is fine too.
Full chain: the server must send the leaf + all intermediates. Browsers won't fetch missing intermediates on their own (mobile browsers especially).

After you deploy: retest with the SSL Checker. You want status = ok, valid chain, and days_left > 30. For reference, here's what a healthy cert profile looks like — /d/google.com — full chain, TLS 1.3, forward secrecy, ~80 days left.

Prevent the next expiry

90-day Let's Encrypt certs are a feature, not a bug — they force automation. If yours expired, your renewal automation is broken. Root cause is almost always one of:

Cron job disabled or running as the wrong user
Domain validation (HTTP-01 or DNS-01) failing silently
Email notifications ignored or going to spam

Set up alerts that fire before the cert expires, not after. Save your domain in DomBrains and we'll warn you at 60, 30, 14, 7 and 1 days before — by email, so you can't miss it.

check_your_own_domain

Run the free SSL Checker to diagnose this on any domain.

[ Open SSL Checker ]

// related_reading

> /blog/hsts-explained

What is HSTS and should you enable it?

Strict-Transport-Security forces HTTPS. What it protects against, how to deploy it safely (test → preload),...

> /blog/dns-propagation-time

How long does DNS propagation really take?

TTL is not the whole story. What actually determines how long DNS changes take, why different regions see c...

> /blog/tls-1-2-vs-1-3

TLS 1.2 vs TLS 1.3 — what your server should be using in 2026

TLS 1.3 is faster, safer, and supported everywhere that matters. Here's how the two compare, when to disabl...