Security6 April 202612 min read

SSL Certificate Expired: What It Means and How to Fix It in 10 Minutes

Visitors are seeing "Your connection is not private" and leaving immediately. Your site is technically running but effectively offline. Here is what happened, how to fix it fast, and how to make sure it never happens again.

What that browser warning actually means

When a visitor sees "Your connection is not private" — or the equivalent in their browser — it means their browser attempted to establish a secure HTTPS connection to your site and the SSL certificate presented by your server failed one or more validation checks.

The most common cause is an expired certificate: the validity period printed on the certificate has passed, so the browser refuses to trust it. But the same warning can appear for other reasons: the certificate does not cover the domain being visited, the certificate chain is incomplete, or the certificate was issued by an authority the browser does not recognise.

From the visitor's perspective, the warning is unambiguous and alarming. Chrome shows a large red lock icon, the text "Your connection is not private," and a sub-message that says attackers might be trying to steal your passwords or payment information. A small "Advanced" link lets users proceed anyway, but the vast majority do not click it. They leave.

Your server is running. Your content is accessible. But for practical purposes, your site is offline.

Why SSL certificates expire (and why auto-renew is not enough)

SSL certificates have a finite validity period by design. It is a security measure: regular renewal forces certificate authorities to re-verify domain ownership and gives the industry a mechanism to retire compromised cryptographic standards. Let's Encrypt certificates expire after 90 days. Paid certificates from commercial CAs typically last 1 year (longer validity periods were phased out by browsers in 2020).

Auto-renewal exists precisely because manual renewal every 90 days is error-prone at scale. Tools like Certbot and hosting provider automation handle the renewal process silently. When it works, you never think about SSL.

The problem is that auto-renewal fails more often than people expect, and it fails silently. There is no visible error. Your site keeps running on the existing certificate until it expires — and then the warning appears for every visitor simultaneously.

Common auto-renewal failure modes

  • DNS changes break validation — Certificate authorities validate your domain ownership during renewal by checking a DNS record or serving a file from your domain. If your DNS records changed since the original certificate was issued (new hosting, CDN, or nameservers), validation fails.
  • Firewall blocking validation requests — Some security configurations block requests from Let's Encrypt's validation servers. The renewal attempt fails silently.
  • Web server configuration changes — Certbot typically serves a validation file at /.well-known/acme-challenge/. If your server configuration redirects or blocks this path, validation fails.
  • Rate limits — Let's Encrypt limits certificate issuance to 50 per registered domain per week. If you manage multiple subdomains or run renewals frequently (development environments, testing), you can hit this limit and legitimate renewal attempts are rejected.
  • Hosting provider failures — Managed hosting platforms handle SSL renewal themselves. Their automation is software, and software has bugs. Platform updates can break renewal for affected accounts silently.
  • New certificate installed but not deployed — Renewal can succeed — a new certificate is generated — but the web server still uses the old one because it was not reloaded. The certificate expires and the server starts serving the new certificate, but if there was a deployment step that failed, nothing gets deployed.

For a deeper dive into each failure mode, see our post on SSL certificate monitoring and why auto-renew is not enough.

How to check if your SSL certificate is expired right now

If you are not sure whether your certificate is expired or about to expire:

  1. Open your website in Chrome or Firefox
  2. Click the padlock icon in the address bar (or the "Not secure" warning if SSL is broken)
  3. Click "Connection is secure" or "Certificate is valid"
  4. Look for the "Valid from" and "Expires on" dates

If the "Expires on" date has passed, the certificate is expired. If it is within 14 days, you need to renew it urgently.

You can also check from the command line if you have terminal access:

echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

This shows notBefore and notAfter dates for the current certificate.

How to fix an expired SSL certificate

Fix 1 — cPanel AutoSSL (fastest for shared hosting)

If your hosting uses cPanel (most shared and managed hosting does), this is the fastest fix:

  1. Log into your hosting account's cPanel
  2. Scroll to the "Security" section and click SSL/TLS Status
  3. Find your domain in the list — expired certificates show in red
  4. Click Run AutoSSL at the top of the page
  5. Wait 2 to 5 minutes for the process to complete
  6. Reload your website — the warning should be gone

If AutoSSL fails, the error message in cPanel tells you why. Common failure reasons are "domain has CAA records that exclude Let's Encrypt" (check your DNS for CAA records) and "domain validation failed" (usually a DNS or server configuration issue).

Fix 2 — Certbot renewal on a VPS or dedicated server

If you manage your own server with Certbot installed:

# Test renewal first (dry run)
sudo certbot renew --dry-run

# If the dry run succeeds, run the actual renewal
sudo certbot renew

# Reload your web server to use the new certificate
sudo systemctl reload nginx
# or
sudo systemctl reload apache2

If Certbot renewal fails, run sudo certbot renew --debug or check /var/log/letsencrypt/letsencrypt.log for detailed error information.

Common Certbot errors and fixes:

  • "Failed to connect to host" — Your firewall is blocking the ACME validation request. Allow HTTP (port 80) from 0.0.0.0/0 temporarily during renewal.
  • "dns-01 challenge error" — DNS validation is failing. Switch to HTTP validation or fix your DNS configuration.
  • "too many certificates already issued" — You have hit the rate limit. Wait a week or use a different subdomain configuration.

Fix 3 — Cloudflare SSL (if your DNS is managed by Cloudflare)

If your domain uses Cloudflare for DNS:

  1. Log into your Cloudflare dashboard
  2. Select your domain
  3. Go to SSL/TLS > Overview
  4. Ensure the SSL/TLS encryption mode is set to "Full" or "Full (strict)" — not "Flexible"
  5. Check the Edge Certificates tab — Cloudflare's Universal SSL should auto-renew
  6. If the certificate shows as expired, click "Disable Universal SSL" and then re-enable it to force a fresh certificate

Note: if you use Cloudflare's proxy (orange cloud icon), visitors connect to Cloudflare's servers, not yours directly. Cloudflare manages the certificate visitors see. You still need a valid certificate on your origin server if you use "Full (strict)" mode.

Fix 4 — Purchase and install a new certificate manually

If all automated options fail and your site is down right now, you can purchase and install a certificate manually. Most certificate providers (Sectigo, DigiCert, Let's Encrypt via ZeroSSL's web interface) can issue a certificate within minutes.

  1. Generate a Certificate Signing Request (CSR) in cPanel under SSL/TLS > Generate an SSL Certificate and Signing Request
  2. Submit the CSR to your chosen certificate authority and complete domain validation
  3. Download the issued certificate (usually a .crt file plus an intermediate chain file)
  4. In cPanel, go to SSL/TLS > Install and Manage SSL for your Site (HTTPS)
  5. Paste the certificate, private key, and certificate chain into the form and click Install Certificate

How to prevent your SSL certificate from expiring again

Fixing an expired certificate is straightforward. Preventing it from happening again requires a different approach: proactive monitoring with advance alerts.

Set up SSL certificate monitoring with expiry alerts

SSL certificate monitoring checks your certificate daily and sends you an alert at configurable thresholds before expiry — typically 30 days, 14 days, 7 days, and 1 day. This gives you multiple opportunities to address a renewal failure before the certificate expires and visitors see warnings.

The 30-day alert is your comfortable warning — plenty of time to diagnose and fix any renewal issues without urgency. The 7-day alert means something has gone wrong with your normal renewal process and you need to act now. The 1-day alert is an emergency.

Without monitoring, you only find out about a certificate expiry when a visitor tells you — typically hours or days after it has already started affecting users.

Uptrue monitors your SSL certificate daily, checks certificate chain validity and domain matching, and sends configurable alerts before expiry. Set it up once and never be caught off guard by an expired certificate again.

Monitor all your domains, not just the main one

Many websites have multiple SSL-protected domains: the main domain, www subdomain, API subdomain, staging environment, and any custom domains for SaaS customers or white-label products. Each has its own certificate and its own renewal process.

Set up a separate SSL monitor for each domain. A certificate expiry on your API subdomain might not affect your main website but will break every application that calls your API.

Verify your renewal automation is working, not just set up

If you use Certbot, verify the renewal cron job or systemd timer is active and running correctly:

# Check if the Certbot renewal timer is active
sudo systemctl status certbot.timer

# Check when it last ran
sudo systemctl status certbot.service

# View recent renewal logs
sudo cat /var/log/letsencrypt/letsencrypt.log | tail -50

Run a dry-run renewal test every few months to confirm the automation is still working. If your server configuration has changed since you last renewed, the dry run will reveal the problem before the certificate expires.

Get SSL expiry alerts before visitors see warnings

Uptrue monitors your SSL certificate daily and alerts you 30, 14, 7, and 1 day before expiry. Free plan available — set it up in under two minutes.

Get SSL Alerts Free

SSL expiry and its impact on SEO

Beyond the immediate impact of visitors seeing warnings and leaving, an expired SSL certificate can have lasting SEO consequences.

Google crawls your site regularly. If Googlebot visits during a period when your certificate is expired, it may deindex affected pages or reduce their ranking — an HTTPS error signals to Google that the page is not secure and may not be serving users well. Google Search Console will report SSL errors under Coverage if Googlebot encounters them.

Backlinks from other sites pointing to your HTTPS URLs will fail to load for visitors clicking through during the outage, which can affect referral traffic and indirectly signal to Google that your site has reliability problems.

The SEO recovery after fixing an SSL expiry is typically fast — Google recrawls and reindexes quickly — but the interim period of reduced visibility and any visitors who bounced and never returned represent permanent revenue loss.

When the certificate is valid but visitors still see warnings

If your certificate is valid and not expired, but visitors still see SSL warnings, there are several other possible causes:

  • Mixed content — Your HTTPS page loads some resources (images, scripts, CSS) over HTTP. Browsers block mixed content. See our post on WordPress mixed content errors for how to fix this on WordPress sites.
  • Certificate does not cover the domain — A certificate for example.com does not automatically cover www.example.com. Your certificate must explicitly include both versions, typically as a SAN (Subject Alternative Name).
  • Broken certificate chain — The intermediate certificate linking your certificate to the trusted root is missing. Most SSL installation tools handle this automatically, but manual installations sometimes miss the intermediate bundle.
  • Outdated TLS version — Some browsers warn about sites using TLS 1.0 or 1.1, which are deprecated. Ensure your server is configured to use TLS 1.2 minimum, with TLS 1.3 preferred.

Frequently asked questions

What does "Your connection is not private" mean?

This browser error (NET::ERR_CERT_DATE_INVALID or a similar code) means your SSL certificate has expired, is invalid, or does not match the domain being served. The browser is refusing to establish a secure HTTPS connection because it cannot verify the site's identity. Visitors see a full-page warning with a red padlock and discouraging language. Most visitors will not click through — they will leave and not return. Fix the SSL certificate to resolve the warning. The error disappears immediately once a valid certificate is installed.

How do I renew an SSL certificate for free?

The most common way is through Let's Encrypt, which provides free 90-day SSL certificates. If your hosting uses cPanel, go to cPanel > SSL/TLS Status and run AutoSSL — this provisions or renews Let's Encrypt certificates for your domain automatically. If your hosting uses Certbot directly, run "certbot renew" on your server. For Cloudflare-managed domains, enable Cloudflare's free SSL under SSL/TLS settings. For custom certificate providers, log into your certificate provider account and follow their renewal process — paid certificates typically renew annually.

Why does my SSL certificate keep expiring even with auto-renew enabled?

Auto-renew can fail for several reasons: DNS records have changed and domain validation fails, a firewall blocks the validation request from the certificate authority, the web server configuration changed and the validation file path is no longer accessible, the hosting provider's automation has a bug, or for paid certificates, the credit card on file expired. The renewal process succeeds silently from your perspective — right up until the old certificate expires and visitors start seeing warnings. SSL monitoring with advance expiry alerts is the only reliable way to catch auto-renew failures before they affect visitors.

How long does it take for a new SSL certificate to take effect?

A new SSL certificate takes effect almost immediately after installation — usually within seconds to a few minutes. There is no propagation delay comparable to DNS changes. Once the certificate is installed and the web server is reloaded or restarted, the new certificate is served to all new connections. Existing connections that were established before the certificate update are not affected. Browser caches do not affect certificate loading — the browser checks the current certificate on every visit.

Can I get SSL warnings even if my certificate has not expired?

Yes. SSL warnings can appear for reasons other than expiry: the certificate does not cover the domain being served (e.g., a certificate for example.com does not automatically cover www.example.com or api.example.com), the certificate chain is broken or incomplete, the certificate authority is not trusted by the browser (rare, but can happen with obscure or self-signed certificates), the server is using an outdated TLS version, or there are mixed content errors — HTTPS pages loading some resources over HTTP. SSL monitoring that checks chain validity, domain matching, and TLS version catches all of these cases, not just expiry.