Certificate expired

Your site's SSL certificate has passed its expiry date. Browsers will show a full-page security warning and block visitors until you renew it.

Symptom

• DomainDash marks the SSL check as Down with error code expired
• Visitors see a browser warning like "Your connection is not private" or NET::ERR_CERT_DATE_INVALID
• Running openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates shows a notAfter date in the past

What it means

SSL certificates have a fixed lifespan. Once that period ends, the certificate is no longer valid and browsers will reject it. Visitors see a warning page that strongly discourages them from continuing to your site. This is the most common SSL issue, and almost always means a renewal step has been missed.

Common causes

• Auto-renewal failed silently — the most common cause. Tools like Let's Encrypt's certbot, ACM, or your hosting provider's renewer ran into a problem and didn't tell anyone.
• The renewal job stopped running — cron disabled, server rebooted without restarting it, container redeployed without persistent state.
• A new certificate was provisioned but never deployed to the live server.
• DNS or HTTP validation for renewal failed because of an unrelated DNS change.
• A manual certificate was issued for a one-off period (e.g. 12 months) and the renewal calendar reminder was missed.

How to fix

1. Confirm the certificate is actually expired. Run:

   openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates

   Replace example.com with your domain. If notAfter is in the past, the certificate is expired.

2. If you use Let's Encrypt with certbot, run a renewal manually:

   sudo certbot renew

   Then reload your web server (e.g. sudo systemctl reload nginx).

3. If you use a hosting provider or CDN (Cloudflare, Netlify, Vercel, Fly.io, Heroku, etc.), open their dashboard and look for the SSL/TLS section. Most providers expose a "renew" or "reissue" action. Trigger it and wait for the new certificate to propagate.

4. If you manage the certificate manually, request a new one from your certificate authority, install it on your server, and reload the web server.

5. Investigate why auto-renewal failed. Check the renewal logs (/var/log/letsencrypt/letsencrypt.log for certbot, the provider's audit log for hosted services). Common causes include DNS changes that broke validation, firewall rules blocking the validation request, and disk-space issues that stopped the renewer from writing the new certificate.

6. Set up an expiry warning so this doesn't happen again. DomainDash can flag certificates approaching expiry up to 30 days in advance, so you get a heads-up instead of a midnight outage. If you're not already on a plan that includes SSL warnings, see what's covered.

How to verify

After renewing and reloading:

1. Run the OpenSSL check from step 1 above. The notAfter date should now be in the future.
2. Open your site in a fresh browser window (incognito mode bypasses cached state). The padlock should appear with no warnings.
3. Open the site in DomainDash, go to SSL, and click "Check now". You should see the status flip from Down to Healthy within a few seconds — and the new notAfter date appear on the certificate card.

Related

• Certificate not yet valid — the inverse problem (start date in the future)
• Certificate has been revoked — invalidated rather than expired
• Visitors see a security warning — if you're not sure what type of SSL issue you have
• SSL certificates — how DomainDash checks SSL