My SSL Certificate Has Expired

My SSL Certificate Has Expired

An expired SSL certificate is one of the most visible failures you can have. Visitors see a full-screen browser warning telling them your site is dangerous, and most of them will leave immediately.

What Visitors See

When your certificate expires, browsers display a warning page like "Your connection is not private" (Chrome) or "Warning: Potential Security Risk Ahead" (Firefox). Visitors must actively click through multiple warnings to reach your site — almost none of them will.

Search engines also penalize expired certificates. Google will drop your rankings quickly if HTTPS is broken.

Emergency Fix: Renew with Let's Encrypt

If you use Let's Encrypt (the most common free certificate), renewal is straightforward.

Check current certificate status:

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

Renew immediately with certbot:

sudo certbot renew --force-renewal

If certbot isn't renewing a specific domain:

sudo certbot certonly --nginx -d example.com -d www.example.com

Tip: If you use Apache instead of nginx, replace --nginx with --apache.

Restart your web server after renewal:

sudo systemctl reload nginx
# or
sudo systemctl reload apache2

Verify the new certificate:

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -subject

Paid Certificate Renewal

If you use a paid certificate (DigiCert, Sectigo, GlobalSign), the process involves:

1. Generate a new CSR on your server:

openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr

1. Submit the CSR to your certificate provider through their dashboard
2. Complete domain validation (usually via DNS record or email)
3. Download the new certificate and install it
4. Update your web server config to point to the new cert files:

ssl_certificate     /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;

1. Reload the web server:

sudo systemctl reload nginx

Set Up Auto-Renewal to Prevent Recurrence

The best way to handle SSL expiration is to never let it happen.

Verify certbot auto-renewal is active:

sudo systemctl status certbot.timer

Test that auto-renewal works:

sudo certbot renew --dry-run

If the timer isn't active, enable it:

sudo systemctl enable --now certbot.timer

Or set up a cron job as a fallback:

sudo crontab -e

Add this line:

0 3 * * * certbot renew --quiet --post-hook "systemctl reload nginx"

This attempts renewal every day at 3 AM. Certbot only renews certificates within 30 days of expiration, so running it daily is safe.

Warning: Auto-renewal can silently fail if your server's HTTP-01 challenge port (80) is blocked, or if your DNS has changed. Check renewal logs periodically at /var/log/letsencrypt/letsencrypt.log.

Common Renewal Failures

"Challenge failed" error: - Port 80 must be accessible from the internet (even for HTTPS-only sites) - Check that your firewall allows inbound traffic on port 80 - Verify DNS still points to the correct server

"Too many certificates" error: - Let's Encrypt has rate limits: 50 certificates per registered domain per week - If you hit this, wait or use a different subdomain structure

Permission errors: - Certbot needs root access. Always run with sudo - Check that your web server user can read the certificate files

How SiteWatch Alerts You Before Expiration

SiteWatch monitors SSL certificate expiration dates and alerts you well before they expire:

• 30-day warning gives you plenty of time to investigate why auto-renewal might be failing
• 7-day critical alert for certificates that still haven't been renewed
• Daily checks catch newly broken certificates quickly
• Portfolio view shows SSL status across all your client sites at once

Don't let an expired certificate be the reason a client calls you in a panic.