DomainSecurityScanner
Critical SeveritySSL/TLS

Fix: SSL Certificate Expired

Your SSL/TLS certificate has expired. Visitors will see a security warning in their browser, and most will not proceed to your site.

Quick Fix

Renew your SSL certificate immediately through your certificate provider or enable auto-renewal.

What This Error Means

The SSL/TLS certificate installed on your web server has passed its expiration date. Browsers will display a prominent "Your connection is not private" warning and will not establish a secure connection without explicit user override.

Why It Matters

An expired certificate effectively makes your website inaccessible to most visitors. Search engines will penalize your rankings, and API integrations will fail.

Step-by-Step Fix

1

Check the expiration date

Verify the current certificate's expiration.

Example
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
2

Renew the certificate

Renew through your certificate provider. If using Let's Encrypt, use certbot.

Example
# Let's Encrypt renewal:
sudo certbot renew

# Or renew a specific certificate:
sudo certbot certonly --nginx -d yourdomain.com -d www.yourdomain.com
3

Install the new certificate

Replace the old certificate files and restart your web server.

Example
# Nginx:
sudo nginx -t && sudo systemctl reload nginx

# Apache:
sudo apachectl configtest && sudo systemctl reload apache2
4

Enable auto-renewal

Set up automatic renewal so this does not happen again.

Example
# Verify certbot auto-renewal is configured:
sudo certbot renew --dry-run

# Check the cron/timer:
systemctl list-timers | grep certbot
5

Verify the new certificate

Confirm the new certificate is active and valid.

Example
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates -subject

Common Gotchas

  • If you use a CDN (Cloudflare, CloudFront), the certificate at the CDN level and the origin server may be different. Make sure both are valid.
  • Certificate renewal may require DNS validation or HTTP challenge. If your DNS or web server is misconfigured, automated renewal will fail silently.
  • Some providers (like Let's Encrypt) issue certificates valid for only 90 days. Auto-renewal is essential.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

How do I get a free SSL certificate?

Let's Encrypt provides free SSL certificates. Use certbot to automatically obtain and install them. Many hosting providers and CDNs also include free SSL.

How often do SSL certificates expire?

Let's Encrypt certificates are valid for 90 days. Commercial certificates are typically valid for 1 year. Always enable auto-renewal.

Will an expired certificate affect email?

If your mail server uses the same certificate, TLS negotiation may fail. However, most mail servers fall back to unencrypted delivery, so email usually still flows.

Related Issues

Certificate MismatchWeak Cipher SuitesTLS 1.0/1.1 EnabledAll Fix Guides →