Fixing an Expired SSL Certificate
Fix an expired SSL certificate by renewing it, checking DNS, Certbot, AutoSSL, CAA records, web server reloads and renewal monitoring.
Introduction
An expired SSL certificate means the browser no longer trusts the HTTPS connection for the hostname being visited. Visitors may see warnings, and automated services that require valid TLS can fail.
Expiry is usually fixable by renewing and reinstalling the certificate, but renewal can fail when DNS points elsewhere, port 80 is blocked, CAA records block the issuer, Certbot is not running, AutoSSL did not complete, or the web server was not reloaded after renewal.
Quick answer
Confirm the certificate is expired with SSL Checker, identify the issuer and renewal method (Certbot, hosting AutoSSL, panel SSL or CDN), fix DNS and validation blockers, renew the certificate, install the full chain on the correct virtual host, reload the web server, test HTTPS, then verify auto-renewal and set expiry monitoring.
Expired SSL certificates explained
TLS certificates have a fixed validity period, often 90 days for Let's Encrypt or one year for many commercial CAs. When not renewed in time, the served certificate passes its notAfter date and clients reject it.
- Browser warnings such as NET::ERR_CERT_DATE_INVALID
- Let's Encrypt renewal failure on VPS or server
- Hosting AutoSSL or panel SSL not completing
- HTTP-01 validation blocked when port 80 is closed
- DNS-01 validation failure when DNS is wrong
- CAA record blocking the certificate authority
- Certificate renewed but web server not reloaded
- Wrong virtual host still serving the old certificate
- CDN edge certificate expired separately from origin
- Domain no longer resolves to the renewal server
Reloading or replacing certificates on production should be done carefully. Test on staging when possible and keep a backup of the current config.
Why this matters
Expired HTTPS breaks trust immediately. Visitors may leave, logins fail, payment pages stop working, search rankings can suffer, and API clients that pin or require valid TLS will error.
Renewal failures often repeat until the underlying DNS, firewall, CAA or automation issue is fixed.
How to check certificate expiry
- Run SSL Checker on the public hostname.
- Note expiry date, issuer and covered hostnames.
- Check whether DNS points to the server that should renew the cert.
- On VPS, run sudo certbot certificates if Certbot is used.
- Review hosting panel SSL status or AutoSSL logs.
- Check CAA records if issuance recently started failing.
- Test HTTPS in a browser and with openssl s_client.
- Confirm whether CDN or origin serves the expired certificate.
Check certificate expiry
Use SSL Checker to see the current certificate expiry date, issuer and hostname coverage.
Common problems
Auto-renewal failed silently
HighThe renewal job failed weeks ago but no alert was sent.
Next step: Check Certbot, cron or panel logs and renew manually, then fix automation.
Certbot timer or cron not running
HighScheduled renewal never runs on the server.
Next step: Enable and test certbot renew timer or cron on VPS systems.
Port 80 blocked
HighHTTP-01 validation cannot reach the server.
Next step: Open port 80 temporarily or switch to DNS validation.
DNS points to wrong server
HighValidation traffic goes to a host that does not complete the challenge.
Next step: Fix A/AAAA/CNAME records before retrying issuance.
CAA record blocks issuer
HighDNS does not authorize the CA trying to issue the certificate.
Next step: Add the correct CAA issue record for your CA and retry.
Certificate renewed but server not reloaded
MediumNew files exist on disk but Apache or Nginx still serves the old cert.
Next step: Reload or restart the web server after installing the new certificate.
Wrong vhost serves old certificate
MediumThe default SSL host answers instead of the domain-specific vhost.
Next step: Install the cert on the correct server_name block or virtual host.
CDN certificate expired
MediumEdge SSL lapsed even though origin still has a valid or different cert.
Next step: Renew or re-enable SSL at the CDN and verify universal or custom cert status.
Expired intermediate chain
MediumLeaf cert is current but clients cannot build a trusted chain.
Next step: Install fullchain.pem or the provider bundle, not only the leaf certificate.
Domain no longer resolves
HighDNS failure prevents validation and HTTPS access.
Next step: Restore DNS and registration before attempting renewal.
How to fix
-
Step 1: Check current certificate expiry
Use SSL Checker or openssl s_client to confirm the served certificate is expired and note the hostname.
-
Step 2: Identify certificate issuer
Determine whether renewal is via Let's Encrypt/Certbot, hosting AutoSSL, control panel SSL or CDN.
-
Step 3: Check DNS points correctly
Confirm public DNS reaches the server or CDN that should complete validation and serve HTTPS.
-
Step 4: Renew the certificate
Run the correct renewal flow: certbot renew, panel AutoSSL, DNS validation or CDN SSL reissue.
-
Step 5: Install the full chain
Use fullchain.pem or the CA bundle plus private key on the correct virtual host.
-
Step 6: Reload the web server
Reload Apache, Nginx or the control panel service so the new certificate is served.
-
Step 7: Test HTTPS
Verify the site loads without date errors in browsers and SSL Checker.
-
Step 8: Test auto-renewal
Run certbot renew --dry-run or the panel equivalent to confirm the next renewal should succeed.
-
Step 9: Set expiry monitoring
Add SSL Checker or monitoring alerts before the next expiry date.
Examples
sudo certbot certificates
sudo certbot renew --dry-run
sudo systemctl reload nginx
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates -issuer
Use sudo and service names appropriate for your OS and web server. Test renewal on production only after fixing DNS, firewall and CAA blockers.
Frequently asked questions
What happens when an SSL certificate expires?
Browsers show security warnings, APIs and webhooks may fail, and visitors may not be able to access the site over HTTPS until a valid certificate is installed.
Why did Let's Encrypt auto-renewal fail?
Common causes include port 80 blocked, DNS pointing to the wrong server, web server not serving the challenge path, CAA blocking issuance, or the Certbot timer not running.
Is it safe to renew while the old cert is expired?
Yes. Issue and install a new certificate as soon as possible. Some validation methods still require the domain to resolve correctly.
Do I need fullchain.pem or just cert.pem?
Install the full chain (fullchain.pem or equivalent). Serving only the leaf certificate can cause trust errors even when the cert is not expired.
Can CDN SSL expire separately from origin SSL?
Yes. The edge certificate and origin certificate are separate. Check both if visitors see expiry warnings.
How do I test renewal before the next expiry?
Run sudo certbot renew --dry-run on Certbot servers or use your panel's renewal test if available.
Should I monitor certificate expiry?
Yes. Use SSL Checker or uptime monitoring alerts so you are notified before certificates expire.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Troubleshooting guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!