Troubleshooting Guides

Fixing an Expired SSL Certificate

Fix an expired SSL certificate by renewing it, checking DNS, Certbot, AutoSSL, CAA records, web server reloads and renewal monitoring.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Intermediate

Introduction

An expired SSL certificate means the browser no longer trusts the HTTPS connection for the hostname being visited. Visitors may see warnings, and automated services that require valid TLS can fail.

Expiry is usually fixable by renewing and reinstalling the certificate, but renewal can fail when DNS points elsewhere, port 80 is blocked, CAA records block the issuer, Certbot is not running, AutoSSL did not complete, or the web server was not reloaded after renewal.

Quick answer

Quick answer

Confirm the certificate is expired with SSL Checker, identify the issuer and renewal method (Certbot, hosting AutoSSL, panel SSL or CDN), fix DNS and validation blockers, renew the certificate, install the full chain on the correct virtual host, reload the web server, test HTTPS, then verify auto-renewal and set expiry monitoring.

Expired SSL certificates explained

TLS certificates have a fixed validity period, often 90 days for Let's Encrypt or one year for many commercial CAs. When not renewed in time, the served certificate passes its notAfter date and clients reject it.

  • Browser warnings such as NET::ERR_CERT_DATE_INVALID
  • Let's Encrypt renewal failure on VPS or server
  • Hosting AutoSSL or panel SSL not completing
  • HTTP-01 validation blocked when port 80 is closed
  • DNS-01 validation failure when DNS is wrong
  • CAA record blocking the certificate authority
  • Certificate renewed but web server not reloaded
  • Wrong virtual host still serving the old certificate
  • CDN edge certificate expired separately from origin
  • Domain no longer resolves to the renewal server

Reloading or replacing certificates on production should be done carefully. Test on staging when possible and keep a backup of the current config.

Why this matters

Why this matters

Expired HTTPS breaks trust immediately. Visitors may leave, logins fail, payment pages stop working, search rankings can suffer, and API clients that pin or require valid TLS will error.

Renewal failures often repeat until the underlying DNS, firewall, CAA or automation issue is fixed.

How to check certificate expiry

  1. Run SSL Checker on the public hostname.
  2. Note expiry date, issuer and covered hostnames.
  3. Check whether DNS points to the server that should renew the cert.
  4. On VPS, run sudo certbot certificates if Certbot is used.
  5. Review hosting panel SSL status or AutoSSL logs.
  6. Check CAA records if issuance recently started failing.
  7. Test HTTPS in a browser and with openssl s_client.
  8. Confirm whether CDN or origin serves the expired certificate.

Check certificate expiry

Use SSL Checker to see the current certificate expiry date, issuer and hostname coverage.

Run SSL Check →

Common problems

Auto-renewal failed silently

High

The renewal job failed weeks ago but no alert was sent.

Next step: Check Certbot, cron or panel logs and renew manually, then fix automation.

Certbot timer or cron not running

High

Scheduled renewal never runs on the server.

Next step: Enable and test certbot renew timer or cron on VPS systems.

Port 80 blocked

High

HTTP-01 validation cannot reach the server.

Next step: Open port 80 temporarily or switch to DNS validation.

DNS points to wrong server

High

Validation traffic goes to a host that does not complete the challenge.

Next step: Fix A/AAAA/CNAME records before retrying issuance.

CAA record blocks issuer

High

DNS does not authorize the CA trying to issue the certificate.

Next step: Add the correct CAA issue record for your CA and retry.

Certificate renewed but server not reloaded

Medium

New files exist on disk but Apache or Nginx still serves the old cert.

Next step: Reload or restart the web server after installing the new certificate.

Wrong vhost serves old certificate

Medium

The default SSL host answers instead of the domain-specific vhost.

Next step: Install the cert on the correct server_name block or virtual host.

CDN certificate expired

Medium

Edge SSL lapsed even though origin still has a valid or different cert.

Next step: Renew or re-enable SSL at the CDN and verify universal or custom cert status.

Expired intermediate chain

Medium

Leaf cert is current but clients cannot build a trusted chain.

Next step: Install fullchain.pem or the provider bundle, not only the leaf certificate.

Domain no longer resolves

High

DNS failure prevents validation and HTTPS access.

Next step: Restore DNS and registration before attempting renewal.

How to fix

  1. Step 1: Check current certificate expiry

    Use SSL Checker or openssl s_client to confirm the served certificate is expired and note the hostname.

  2. Step 2: Identify certificate issuer

    Determine whether renewal is via Let's Encrypt/Certbot, hosting AutoSSL, control panel SSL or CDN.

  3. Step 3: Check DNS points correctly

    Confirm public DNS reaches the server or CDN that should complete validation and serve HTTPS.

  4. Step 4: Renew the certificate

    Run the correct renewal flow: certbot renew, panel AutoSSL, DNS validation or CDN SSL reissue.

  5. Step 5: Install the full chain

    Use fullchain.pem or the CA bundle plus private key on the correct virtual host.

  6. Step 6: Reload the web server

    Reload Apache, Nginx or the control panel service so the new certificate is served.

  7. Step 7: Test HTTPS

    Verify the site loads without date errors in browsers and SSL Checker.

  8. Step 8: Test auto-renewal

    Run certbot renew --dry-run or the panel equivalent to confirm the next renewal should succeed.

  9. Step 9: Set expiry monitoring

    Add SSL Checker or monitoring alerts before the next expiry date.

Examples

Certbot and openssl commands
sudo certbot certificates
sudo certbot renew --dry-run
sudo systemctl reload nginx

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates -issuer

Use sudo and service names appropriate for your OS and web server. Test renewal on production only after fixing DNS, firewall and CAA blockers.

Frequently asked questions

What happens when an SSL certificate expires?

Browsers show security warnings, APIs and webhooks may fail, and visitors may not be able to access the site over HTTPS until a valid certificate is installed.

Why did Let's Encrypt auto-renewal fail?

Common causes include port 80 blocked, DNS pointing to the wrong server, web server not serving the challenge path, CAA blocking issuance, or the Certbot timer not running.

Is it safe to renew while the old cert is expired?

Yes. Issue and install a new certificate as soon as possible. Some validation methods still require the domain to resolve correctly.

Do I need fullchain.pem or just cert.pem?

Install the full chain (fullchain.pem or equivalent). Serving only the leaf certificate can cause trust errors even when the cert is not expired.

Can CDN SSL expire separately from origin SSL?

Yes. The edge certificate and origin certificate are separate. Check both if visitors see expiry warnings.

How do I test renewal before the next expiry?

Run sudo certbot renew --dry-run on Certbot servers or use your panel's renewal test if available.

Should I monitor certificate expiry?

Yes. Use SSL Checker or uptime monitoring alerts so you are notified before certificates expire.

Use these free tools to verify your configuration after applying changes.

Browse all Troubleshooting guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.