Last updated:
SSL certificate expired: what it means and how to fix it
Your SSL certificate has expired and browsers are showing "Your connection is not private" or "This site is not secure" to every visitor. Most people will leave immediately. Your website is effectively blocked: HTTPS connections fail, payment flows break, and APIs that connect to your domain over HTTPS will start returning errors. This is not a hack or a breach. It means the certificate needs to be renewed.
- Check the expiry date:
- Identify your certificate provider. Check the issuer in the output above, or look in your hosting/DNS dashboard. Common providers:
| Provider | How to renew |
|---|---|
| Let's Encrypt | Run sudo certbot renew |
| Cloudflare | Renews automatically. Check SSL/TLS in dashboard. |
| Hosting provider | Use the SSL section in your control panel. |
| Commercial CA | Log in to the provider portal and reissue. |
- Restart your web server (if you manage it yourself):
- Verify in the browser. Visit your site in an incognito window. The padlock icon should appear and the "not private" warning should be gone.
If the warning persists after renewal, clear your browser cache or test in a different browser. The issue is almost always a cached version of the old certificate.
What is an SSL certificate
An SSL certificate is a digital file that proves your website's identity and enables encrypted connections. When a visitor connects to your site over HTTPS, the certificate tells the browser two things: that the site is genuinely owned by you, and that the connection is encrypted so data cannot be intercepted in transit.
Every SSL certificate has a validity period. Let's Encrypt certificates are valid for 90 days. Commercial certificates from providers like DigiCert or Sectigo typically last 1 year. When the validity period ends, the certificate expires and browsers stop trusting it. The encryption still works technically, but the browser has no way to verify the certificate is current, so it blocks the connection as a safety precaution.
SSL and TLS are often used interchangeably. TLS (Transport Layer Security) is the modern successor to SSL, but "SSL certificate" remains the common term.
How HTTPS works
Every time a visitor loads your site over HTTPS, a handshake occurs between the browser and your server. The certificate is checked during this handshake. If it is expired, the connection is blocked before the page even begins to load.
With a valid certificate, the handshake succeeds, the connection is encrypted, and the browser shows the padlock icon. The page loads normally. An expired certificate breaks this flow at the validation step, before any page content is transferred.
How to think about SSL (simple)
If you are not familiar with SSL certificates, here is the simplest way to understand this:
- An SSL certificate is like an ID card for your website. It proves your site is who it says it is.
- Like a real ID, it has an expiry date. Once that date passes, it is no longer accepted.
- When a browser sees an expired certificate, it blocks the connection. Visitors see a warning page instead of your site.
- This is not a hack. Nothing is broken or compromised. The certificate just needs to be renewed, like renewing a passport.
The good news is that renewing a certificate is usually straightforward. Many hosting providers and tools like Let's Encrypt handle it automatically. If auto-renewal has failed, the fix is typically a single command or a few clicks in a dashboard.
How to tell if this is your issue
These are common signs that an expired SSL certificate is the cause of your problem:
- Browser shows "Your connection is not private". This is the most common sign. Chrome, Firefox, and Safari all display full-page warnings with slightly different wording. Chrome uses NET::ERR_CERT_DATE_INVALID.
- HTTPS fails but HTTP may still work. If your site loads on http:// but not https://, the issue is almost certainly the SSL certificate, not your server or DNS.
- APIs return SSL errors. Applications and integrations that connect to your domain over HTTPS will report errors like SSL_ERROR_EXPIRED_CERT_ALERT or certificate has expired.
- Certificate expiry warning in monitoring tools. Tools like 1Pane or your hosting dashboard may flag that the certificate has expired or is about to expire.
- The padlock icon is missing or shows a warning. In the browser address bar, the padlock is replaced by a "Not secure" label or a warning triangle.
Quick check: Run echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates to see the exact expiry date. If notAfter is in the past, the certificate is expired.
Expired certificate vs valid certificate
Expired certificate
- "Your connection is not private" warning
- Visitors blocked from accessing your site
- HTTPS connections rejected
- APIs and webhooks fail over HTTPS
- No padlock icon in the browser
- Payment and checkout flows broken
Valid certificate
- Padlock icon shown in the address bar
- Visitors connect without warnings
- All data encrypted in transit
- APIs and integrations work normally
- Search engines rank HTTPS pages higher
- Payment processing works as expected
Why this matters
An expired SSL certificate does more than show a warning. It has immediate, measurable impact on your business:
- Visitors are blocked. Browsers display a full-page "Your connection is not private" warning. Studies show over 90% of visitors leave immediately. They do not click "Advanced" to bypass it.
- Trust is damaged. Even if visitors know how to proceed past the warning, seeing a security error makes your site look neglected or compromised. Rebuilding that trust takes time.
- API and integration failures. Any service that connects to your domain over HTTPS (webhooks, payment processors, CRM integrations, monitoring tools) will reject the expired certificate. Automated processes will break silently.
- SEO impact. Google has used HTTPS as a ranking signal since 2014. An expired certificate can cause your pages to drop in search results. If the site is unreachable for an extended period, pages may be deindexed entirely.
- Payment processing stops. Payment gateways require a valid SSL certificate. If your site handles transactions, checkout will fail completely. PCI compliance also requires valid certificates.
- Email reputation can be affected. If your mail server uses the same certificate, email authentication and encrypted email delivery (STARTTLS) may also fail.
How to fix it properly
Work through these steps in order. The right approach depends on how your certificate is managed.
Step 1: Confirm the certificate is expired
Before making changes, verify that the certificate is actually expired and not a different issue (like a DNS failure or missing A record):
The notAfter date tells you when the certificate expired. The issuer tells you who provided it, which determines how to renew.
Step 2: Identify your certificate provider
The renewal process depends entirely on who issued your certificate. Here are the most common setups:
| Provider | Certificate type | Validity |
|---|---|---|
| Let's Encrypt | Free, auto-renewing (via Certbot) | 90 days |
| Cloudflare | Universal SSL (automatic) | 1 year |
| Hosting provider | Varies (often Let's Encrypt) | 90 days to 1 year |
| DigiCert / Sectigo | Commercial (paid) | 1 year |
Step 3: Renew the certificate
Let's Encrypt (Certbot):
If Certbot reports errors, check that your A record points to the correct server and that port 80 is accessible (Let's Encrypt uses HTTP validation by default).
Cloudflare:
Cloudflare Universal SSL certificates renew automatically. If yours has expired, log in to the Cloudflare dashboard, navigate to SSL/TLS, and check for errors. You may need to re-enable Universal SSL or verify your domain. If you use a Cloudflare Origin Certificate for the connection between Cloudflare and your server, check that separately.
Hosting provider:
Most hosting providers (cPanel, Plesk, Vercel, Netlify) offer one-click SSL renewal or handle it automatically. Log in to your hosting control panel and look for an SSL or Security section. If auto-renewal failed, there is usually a "Reissue" or "Renew" button.
Commercial CA (DigiCert, Sectigo, etc.):
Log in to the certificate provider's portal, reissue the certificate, and download the new files. You will need to install them on your server manually.
Step 4: Install the new certificate
If renewal is not automatic (commercial CAs, manual Certbot setups), you need to install the new certificate files on your server. Make sure to include the intermediate (chain) certificate. An incomplete chain will cause errors in some browsers even if the main certificate is valid.
Step 5: Restart your web server
Your web server needs to reload the new certificate files. This step is automatic on managed hosting platforms, but required on servers you manage yourself:
Important: Always test your Nginx or Apache config before restarting. A syntax error in the config will cause the restart to fail, taking your site offline completely.
Step 6: Verify in the browser
Open your site in an incognito/private browsing window (to avoid cached certificate data):
- The padlock icon should appear in the address bar
- Click the padlock to view certificate details and confirm the new expiry date
- The "Your connection is not private" warning should be gone
You can also verify from the command line:
Common mistakes
- Auto-renewal failed silently. Let's Encrypt certificates expire every 90 days. If the Certbot cron job or systemd timer stopped running, the certificate will expire without warning. Check systemctl status certbot.timer and review /var/log/letsencrypt/letsencrypt.log for errors.
- Old certificate still being served. After renewal, make sure the web server is actually serving the new certificate. If you did not restart the server, it will continue serving the expired one from memory.
- Incomplete certificate chain. Some browsers will show warnings if the intermediate certificate is missing, even if the main certificate is valid. Always include the full chain file when installing a certificate.
- DNS or A record changed. If you recently changed your A record or DNS provider, the old certificate may not be valid for the new setup. Let's Encrypt HTTP validation requires the domain's A record to point to the server running Certbot.
- Port 80 blocked. Let's Encrypt uses HTTP (port 80) to validate domain ownership by default. If a firewall or security group blocks port 80, renewal will fail. Use DNS validation as an alternative.
- Assuming all subdomains are covered. A certificate for yourdomain.com does not automatically cover www.yourdomain.com or api.yourdomain.com. Make sure the certificate covers all the hostnames you use, or use a wildcard certificate (*.yourdomain.com).
How 1Pane detects this
During a domain health scan, 1Pane connects to your domain over HTTPS and inspects the SSL certificate. It checks the expiry date, the certificate chain, and the issuer. Expired certificates are flagged as critical issues. Certificates expiring within 30 days are flagged as warnings, giving you time to renew before visitors are affected.
1Pane also checks for related issues that can compound an SSL problem, including DNS lookup failures (which prevent certificate renewal via HTTP validation), missing A records (which prevent traffic from reaching your server), and missing SPF or DMARC records (which affect email security).
Frequently asked questions
Does an expired SSL certificate mean my site was hacked?
No. An expired certificate is not a security breach. It means the certificate's validity period has passed and it needs to be renewed. Browsers block access as a precaution, but your site, data, and server are not compromised. Think of it like an expired driving licence: you are still the same person, but the document needs to be renewed.
How often do SSL certificates expire?
It depends on the provider. Let's Encrypt certificates expire every 90 days (but auto-renew if configured correctly). Commercial certificates from providers like DigiCert or Sectigo last 1 year. Cloudflare Universal SSL certificates also last 1 year and renew automatically. The industry is moving towards shorter validity periods to improve security.
Why did my certificate not auto-renew?
The most common reasons are: the Certbot timer or cron job stopped running, the server was unreachable during the renewal window, port 80 was blocked by a firewall (preventing HTTP validation), or your A record changed and no longer points to the server running the renewal tool. Check /var/log/letsencrypt/letsencrypt.log for specific error messages.
Can visitors bypass the "Your connection is not private" warning?
In most browsers, visitors can click "Advanced" and then "Proceed to site (unsafe)" to bypass the warning. However, the vast majority of visitors will not do this. The warning is deliberately designed to look alarming. You should never rely on visitors bypassing it. Renew the certificate as quickly as possible.
Related issues
SSL certificate problems are often connected to other domain health issues:
Scan your domain with 1Pane to check SSL, DNS, and email authentication issues in one place.
Scan your domain with 1Pane