SSL Certificate Expired: What to Do?
Urgent actions to restore your site security and prevent it from happening again.
Your SSL certificate has expired and your visitors are greeted by a scary warning page. It's a stressful situation, but don't panic: the problem is reversible and you can fix it quickly. The key is to act fast to minimize the impact on your business and SEO rankings.
An expired SSL certificate effectively blocks access to your site for most visitors. Modern browsers display alarming warnings and most users won't risk continuing. Every minute that passes costs you visitors, sales, and potentially your search engine rankings.
This guide walks you through step by step to resolve the problem as quickly as possible, then implement measures so it never happens again.
Consequences of an Expired SSL Certificate
Here's what happens when a visitor accesses your site with an expired certificate:
- Browser blocking: Chrome, Firefox and Safari display an error page with "Your connection is not private". Accessing the site requires extra clicks that 99% of visitors won't make.
- Massive traffic loss: Visitors immediately leave your site and go to competitors. Bounce rate hits 100% on HTTPS pages.
- Transactions impossible: Online payments are completely blocked. No customer will enter their banking information on a site marked as not secure.
- SEO impact: Google demotes sites without valid HTTPS. Prolonged expiration (more than a few hours) can impact your rankings for weeks.
Urgent Actions (< 1 hour)
Follow these steps in order to resolve the problem as quickly as possible:
- Identify certificate type: Determine if you're using Let's Encrypt (free, auto-renewal) or a commercial certificate (Digicert, Comodo, etc.). This information determines the renewal procedure.
- Access the server: SSH into your server, or access your hosting provider's control panel (cPanel, Plesk, etc.).
- Renew the certificate: Follow the appropriate procedure for your certificate type (see sections below).
- Verify the result: Test your site in a private/incognito browser window to verify the certificate is properly installed and valid.
Let's Encrypt Renewal
If you're using Let's Encrypt with Certbot, here's the procedure:
- SSH connect: Use your usual SSH client (Terminal, PuTTY) to access the server.
- Force renewal: Run sudo certbot renew --force-renewal to force renewal even if the certificate isn't close to expiration.
- Reload web server: Run sudo systemctl reload nginx (or apache2) so the server uses the new certificate.
- Check the cron: Make sure the auto-renewal cron is properly configured to prevent this from happening again.
Let's Encrypt Renewal Commands
Here are the commands to run on your server:
# 1. Force certificate renewal
sudo certbot renew --force-renewal
# 2. Verify the result
sudo certbot certificates
# 3. Reload web server (Nginx)
sudo systemctl reload nginx
# Or for Apache:
sudo systemctl reload apache2
# 4. Test automatic renewal
sudo certbot renew --dry-run
# 5. Check the cron
systemctl list-timers | grep certbotThese commands renew your Let's Encrypt certificate and verify that auto-renewal is properly configured. The --dry-run simulates a renewal without modifying the certificate.
Prevention: Make Sure It Never Happens Again
Once the problem is resolved, implement these preventive measures:
- MoniTao monitoring: Create an HTTPS monitor for your site. MoniTao will automatically alert you 30, 14 and 7 days before certificate expiration.
- Verify auto-renewal: For Let's Encrypt, run certbot renew --dry-run to confirm that automatic renewal works correctly.
- Document the process: Create internal documentation explaining how to manually renew the certificate if auto-renewal fails.
- Multiply alerts: Don't rely on a single alert channel. Combine MoniTao with your certificate authority's reminder to be sure you don't miss anything.
Expired Certificate Urgent Checklist
- Certificate type identified (Let's Encrypt or commercial)
- Access to server or hosting panel obtained
- Certificate renewed and installed
- Web server reloaded
- Site tested in a private browser window
- MoniTao monitor configured for continuous monitoring
Frequently Asked Questions About Expired Certificates
Was my site hacked if the certificate expired?
No, SSL certificate expiration is not a hack. It's simply a renewal oversight or a failure of the automatic process. Your data and your visitors' data are not compromised by the expiration itself.
Can I temporarily switch my site to HTTP while waiting?
Technically possible, but strongly discouraged. Your visitors would see an unsecured site, which is almost as damaging as the certificate error. Focus on quick renewal instead.
Is my visitors' data compromised?
Certificate expiration doesn't expose existing data. However, new connections aren't encrypted until the certificate is renewed, which presents a theoretical risk.
How long before Google properly re-indexes my site?
Once the certificate is restored, Google should notice the change on its next crawl (usually 1-3 days). The impact on your rankings depends on how long the expiration lasted.
Why did Let's Encrypt auto-renewal fail?
Common causes are: port 80 blocked by firewall, web configuration changed, disk full, or the certbot cron no longer running. Check logs with sudo journalctl -u certbot.
Do I need to generate a new CSR to renew?
For Let's Encrypt, no. For commercial certificates, it depends on the provider. Some accept the same CSR, others require a new one for each renewal.
Resolve the Emergency, Then Prevent
An expired SSL certificate is stressful, but it's a problem that typically resolves in less than an hour. The key is to act quickly to minimize the impact on your visitors and SEO. Once the problem is resolved, take time to implement preventive measures.
With MoniTao, you receive automatic alerts well before your certificate expires. It's the safety net that guarantees you'll never have to handle this emergency again. Set up your first HTTPS monitor in under 2 minutes.
Useful Links
Ready to Sleep Soundly?
Start free, no credit card required.