How to Fix an Expired SSL Certificate (Step-by-Step Guide)
Visitors are seeing 'Your connection is not private' and traffic is dropping. Here's the fastest path to a fixed, renewed certificate — and how to make sure it never expires unnoticed again.
Step 1: Confirm It's Actually Expired
Before touching any configuration, verify the actual expiry date rather than trusting the browser error message alone — sometimes the real issue is a misconfigured intermediate certificate, not expiry. Run your domain through our SSL Certificate Checker to see the exact Not After date and days remaining pulled from Certificate Transparency logs.
If "Days Remaining" shows a negative number, the certificate is confirmed expired. If it shows positive days but browsers still complain, the issue is likely a different one — wrong certificate installed, missing intermediate chain, or hostname mismatch.
Why Certificates Expire Unexpectedly
- Automated renewal silently failed. Certbot or ACME clients depend on a cron job or systemd timer actually running — server reboots, permission changes, or DNS provider API changes can break it quietly for months.
- Manual renewal was forgotten. Commercial certificates (1-year validity) require someone to remember and act — no built-in reminder unless you set one up separately.
- DNS-01 challenge failing. If your renewal method validates via DNS TXT record and your DNS provider's API credentials expired or changed, renewal fails silently.
- Load balancer / CDN certificate mismatch. The certificate might have renewed on the origin server but never propagated to a CDN edge or load balancer sitting in front of it.
Step-by-Step Fix
Identify Your Issuer
Check the expired certificate's issuer (visible in browser certificate details or via our checker) — Let's Encrypt, ZeroSSL, or a commercial CA. The renewal path differs for each.
Let's Encrypt / Certbot: Force Renewal
SSH into the server and run certbot renew --force-renewal, then check the certbot logs for the actual failure reason if it errors again.
Commercial CA: Reissue via Dashboard
Log into your CA's control panel, generate a new CSR if required, complete domain validation again, and download the reissued certificate bundle.
Install the New Certificate
Upload the new certificate and full chain to your web server (Nginx, Apache) or your CDN/load balancer's SSL settings, then restart or reload the web server process.
Verify From Multiple Vantage Points
Re-check with our SSL Certificate Checker, and load the site in an incognito browser window (to bypass any local cert caching) to confirm the fix took effect everywhere.
Preventing Future Expiry
systemctl status certbot.timer or your crontab.certbot renew --dry-run — run this periodically to catch a broken renewal path before it actually matters.Common Mistakes
People often renew the certificate but forget to reload the web server process, meaning it keeps serving the old expired certificate from memory. Others renew on the origin server but forget a CDN or load balancer in front has its own separate certificate slot that also needs updating. Always verify from an external, cache-free vantage point after any fix.