Renewing an expired SSL certificate is usually a small task - but only if you know which renewal path applies to your specific certificate. This guide walks through all the common paths, from quickest (a single command) to most involved (purchased certificates from commercial CAs).
The fastest path: a new free certificate
If your priority is getting back online and you don't have specific requirements about which CA issues the certificate, the fastest path is a fresh Let's Encrypt certificate. Most teams can be back online in under 10 minutes.
Need a working certificate right now?
Beacon issues free 90-day Let's Encrypt certificates with a guided DNS-validation flow. No account, no command-line tools, no ACME client to install - just a domain you control. Most people get a working certificate in under 10 minutes.
Get a free certificate from BeaconRenewing a Let's Encrypt certificate (via certbot)
If your existing certificate came from Let's Encrypt and certbot is already configured on the server, the renewal is one command:
sudo certbot renew
If certbot reports the certificate isn't yet due for renewal but it's actually expired (which can happen if the local clock is off, or if the renewal cron has been failing silently), force it:
sudo certbot renew --force-renewal
After renewal, restart or reload your web server so it picks up the new certificate:
sudo systemctl reload nginx # or apache2, etc.
If the renewal fails with "missing account" or "no certificates configured," the original setup may have been lost. In that case, request a fresh certificate via Beacon (above) or set up certbot from scratch.
Renewing a purchased certificate (DigiCert, Sectigo, GoDaddy, etc.)
For certificates purchased from a commercial CA, the renewal process is:
- Log in to your CA portal.
- Find the certificate that's expiring.
- Click "renew" or "reissue."
- Complete domain validation if requested (usually a DNS or HTTP file challenge).
- Download the new certificate + intermediate chain.
- Install on your servers (same paths as the old certificate).
- Restart your web server.
Validation timing depends on the certificate type:
- Domain Validated (DV) - usually issued within minutes.
- Organization Validated (OV) - can take hours, requires light business verification.
- Extended Validation (EV) - can take days, requires more rigorous business verification.
If the validation will take longer than you can afford to be down, get a free Beacon certificate as a temporary bridge while the commercial CA processes the renewal.
Renewing on managed cloud platforms
If your TLS termination happens on a cloud platform, the platform usually handles renewal automatically. If you're seeing an expired certificate here, something in the platform's setup needs attention:
- AWS Certificate Manager (ACM) - auto-renews if the certificate is "in use" by an AWS service. If renewal is failing, check that DNS validation records are still present in your DNS provider.
- Google Cloud Certificate Manager - similar pattern. Verify that the underlying Load Balancer is healthy.
- Cloudflare - managed certificates auto-renew transparently. If an outage is occurring here, check that your Cloudflare account is in good standing and the domain's nameservers still point to Cloudflare.
- Heroku / Render / Fly.io / Vercel / Railway - modern PaaS providers handle TLS automatically. Check the platform's TLS settings or support documentation if renewal isn't happening.
Installing the renewed certificate
Once you have the new certificate file(s) and the matching private key, install them:
nginx
ssl_certificate /etc/ssl/fullchain.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
Validate the config and reload:
sudo nginx -t
sudo systemctl reload nginx
Apache
SSLCertificateFile /etc/ssl/cert.pem
SSLCertificateKeyFile /etc/ssl/privkey.pem
SSLCertificateChainFile /etc/ssl/chain.pem
Validate and reload:
sudo apachectl configtest
sudo systemctl reload apache2
Verify the renewal worked
Check from a machine that isn't on the affected network:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
Confirm the notAfter date is now well in the future. Then load the site in an incognito browser window. If the warning is gone, you're done. If you're behind a CDN, wait 5–10 minutes for cache invalidation before re-testing.
Make this the last manual renewal
Manual renewal works once. It does not scale, and it does not survive turnover. The structural fix is automation plus monitoring - automation to handle the routine renewals, and monitoring to catch the cases where automation fails silently.
Stop this from happening again
TLS Radar continuously monitors every certificate across your domains and alerts you weeks before anything expires, and also catches the silent failure modes (chain breaks, weak ciphers, hostname mismatches) that expiry-only monitoring misses. Built for solo developers monitoring a handful of sites and for enterprise teams managing thousands of certificates across multiple environments.
Related reading
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.