How to Fix an Expired SSL Certificate (Step-by-Step Guide)

Visitors are seeing 'Your connection is not private' and traffic is dropping. Here's the fastest path to a fixed, renewed certificate — and how to make sure it never expires unnoticed again.

📅 Published July 2026· ⏳ 9 min read· ✍️ ToolsNovaHub Editorial Team
An expired SSL certificate is one of the most disruptive, entirely preventable outages a website can have — browsers block access outright, search engines may flag the site, and every visitor sees a scary warning screen. The good news: it's almost always fixable within minutes once you know where to look.

Step 1: Confirm It's Actually Expired

Before touching any configuration, verify the actual expiry date rather than trusting the browser error message alone — sometimes the real issue is a misconfigured intermediate certificate, not expiry. Run your domain through our SSL Certificate Checker to see the exact Not After date and days remaining pulled from Certificate Transparency logs.

If "Days Remaining" shows a negative number, the certificate is confirmed expired. If it shows positive days but browsers still complain, the issue is likely a different one — wrong certificate installed, missing intermediate chain, or hostname mismatch.

Why Certificates Expire Unexpectedly

  • Automated renewal silently failed. Certbot or ACME clients depend on a cron job or systemd timer actually running — server reboots, permission changes, or DNS provider API changes can break it quietly for months.
  • Manual renewal was forgotten. Commercial certificates (1-year validity) require someone to remember and act — no built-in reminder unless you set one up separately.
  • DNS-01 challenge failing. If your renewal method validates via DNS TXT record and your DNS provider's API credentials expired or changed, renewal fails silently.
  • Load balancer / CDN certificate mismatch. The certificate might have renewed on the origin server but never propagated to a CDN edge or load balancer sitting in front of it.

Step-by-Step Fix

1

Identify Your Issuer

Check the expired certificate's issuer (visible in browser certificate details or via our checker) — Let's Encrypt, ZeroSSL, or a commercial CA. The renewal path differs for each.

2

Let's Encrypt / Certbot: Force Renewal

SSH into the server and run certbot renew --force-renewal, then check the certbot logs for the actual failure reason if it errors again.

3

Commercial CA: Reissue via Dashboard

Log into your CA's control panel, generate a new CSR if required, complete domain validation again, and download the reissued certificate bundle.

4

Install the New Certificate

Upload the new certificate and full chain to your web server (Nginx, Apache) or your CDN/load balancer's SSL settings, then restart or reload the web server process.

5

Verify From Multiple Vantage Points

Re-check with our SSL Certificate Checker, and load the site in an incognito browser window (to bypass any local cert caching) to confirm the fix took effect everywhere.

Preventing Future Expiry

Verify the Renewal Cron Actually Runs
Don't just assume Certbot's installer set up the timer correctly — manually check systemctl status certbot.timer or your crontab.
🔔
Set Up Expiry Monitoring
Use an uptime/monitoring service that specifically alerts on certificate expiry, separate from general uptime checks — a site can be "up" over HTTP while HTTPS is broken.
📋
Calendar Reminder for Manual Certs
If using a commercial CA without auto-renewal, set a calendar reminder 30 days before expiry, not the week of.
🔄
Test Renewal in Dry-Run Mode
Certbot supports certbot renew --dry-run — run this periodically to catch a broken renewal path before it actually matters.

Common Mistakes

People often renew the certificate but forget to reload the web server process, meaning it keeps serving the old expired certificate from memory. Others renew on the origin server but forget a CDN or load balancer in front has its own separate certificate slot that also needs updating. Always verify from an external, cache-free vantage point after any fix.

FAQs

Why did my SSL certificate expire without warning? +
Most likely an automated renewal (like Certbot) silently failed — often due to a broken cron job, changed DNS API credentials, or a permission issue — and no separate expiry monitoring was in place to catch it.
How quickly can I fix an expired SSL certificate? +
If you use Let's Encrypt/Certbot, often within minutes via a forced renewal command. Commercial CA reissuance can take longer if domain re-validation is required.
Will my website be down while I fix the certificate? +
HTTPS access will be blocked by browsers until fixed, but the fix itself (renewal + reload) typically takes just a few minutes once you've diagnosed the cause.
Do I need a new CSR to renew an expired certificate? +
For Let's Encrypt/ACME, no — renewal is automatic and doesn't need a new CSR. For most commercial CAs, you can often reuse the same CSR unless your key was rotated or details changed.
How do I check exactly when my certificate expires? +
Use our free SSL Certificate Checker, which reads live Certificate Transparency log data and shows the exact Not After date and days remaining.
Can an expired certificate hurt my SEO? +
Indirectly, yes — Google may deprioritize a site that's inaccessible or flagged insecure, and organic traffic will drop sharply regardless since most visitors won't click through browser warnings.
What's the difference between certificate expired and certificate not trusted? +
Expired means the validity period has passed. Not trusted usually means a chain issue, self-signed certificate, or the issuing CA isn't in the browser's trust store — a different problem requiring a different fix.
Why does my certificate show valid on the server but expired in the browser? +
Often a CDN or load balancer in front of your origin server has its own separate, outdated certificate that never got updated even though the origin's did.
How long should I set my certificate validity period? +
You generally can't choose — most CAs now cap validity at 90–398 days by industry policy. Shorter lifespans (like Let's Encrypt's 90 days) actually reduce risk exposure if a key is ever compromised.
Can I renew a certificate before it expires? +
Yes, and you should — Certbot renews automatically around 30 days before expiry by default, well ahead of the deadline, rather than waiting until the last moment.
What happens if I ignore an expired certificate? +
Visitors are blocked by a full-page browser warning by default, most will leave rather than click through, and any API integrations or automated services calling your site over HTTPS will likely fail outright.
Is there a way to get alerted before expiry happens? +
Yes — most uptime monitoring services (UptimeRobot, Pingdom, and others) offer a dedicated SSL expiry check separate from basic HTTP uptime monitoring.
Do wildcard certificates expire the same way as regular ones? +
Yes, wildcard certificates follow the same validity period rules as standard certificates and require the same renewal diligence, just covering more hostnames at once.
Can I use a free certificate as a permanent fix, not just an emergency patch? +
Absolutely. Let's Encrypt certificates are production-grade and used by a large share of the web — the main requirement is reliable automated renewal, which is well worth setting up properly once.
Should I switch Certificate Authorities after an expiry incident? +
Not necessarily — the CA usually isn't at fault. The root cause is almost always a broken renewal process on your side, which switching providers won't fix unless you also fix the automation.
Explore All ToolsNovaHub Tools
🏠 Go to Homepage

🔗 More Guides