If you arrived here because your site is throwing browser warnings or your monitoring just lit up: take a breath. This is a common, fixable problem. The steps below get you back online quickly, then make sure it doesn't happen again.
Step 1: Confirm the certificate is actually expired
Before doing anything else, verify what you're looking at. A browser warning can mean several different things - expired certificate, hostname mismatch, broken chain, untrusted issuer. The fix for each is different.
The fastest way to check is from a terminal:
openssl s_client -servername example.com -connect example.com:443 < /dev/null 2>/dev/null | openssl x509 -noout -dates
Look at the notAfter line. If that date is in the past, your certificate has expired. If it isn't, the problem is something else - see the section on browser warnings later in this post.
Not comfortable with the command line?
Type your domain below and our free scanner will confirm whether your certificate is expired, when it expires, and who issued it. Results open in a new tab.
Step 2: Get a working certificate
You have three paths, depending on where the original certificate came from:
- Issued by Let's Encrypt with automation (certbot, Caddy, etc.) - your automation has failed silently. Try running the renewal manually:
sudo certbot renew --force-renewal. If that succeeds, deploy the new certificate and check why the automation didn't fire (cron, systemd timer, account permissions). - Purchased from a commercial CA (DigiCert, Sectigo, GoDaddy, etc.) - log into the CA portal and reissue. Validation usually takes minutes for DV certs, hours-to-days for OV/EV. While you wait, use Beacon below for a free interim certificate.
- You don't know where the original came from - common with inherited infrastructure. Issue a fresh certificate from Beacon (free) to get back online, then sort out the longer-term cert provider afterwards.
Need a working certificate right now?
Beacon issues free 90-day Let's Encrypt certificates with a guided DNS-validation flow. No account, no command-line tools, no ACME client to install - just a domain you control. Most people get a working certificate in under 10 minutes.
Get a free certificate from BeaconStep 3: Install the new certificate
Once you have a new certificate and its private key, install it on the right server. The location depends on your stack:
- nginx - replace the
ssl_certificateandssl_certificate_keyfiles, runnginx -tto validate, thensudo systemctl reload nginx. - Apache - replace
SSLCertificateFileandSSLCertificateKeyFileentries, runapachectl configtest, thensudo systemctl reload apache2. - Cloudflare, AWS ELB, GCP Load Balancer, Azure App Service - upload via the respective console or API; the platform applies the certificate within a few minutes.
- Heroku, Render, Fly.io, Vercel - most modern PaaS providers handle certificate renewal automatically. If you're seeing an expired certificate here, check the platform's TLS settings or contact support.
Step 4: Verify the fix from outside
Don't trust the server's report - verify what real users see. From a terminal that isn't on the affected network:
curl -vI https://example.com 2>&1 | grep -E "expire|valid"Or load the site in an incognito browser window. If the warning is gone, you're back online. Wait a few minutes if you're behind a CDN - caches can lag by 5-10 minutes.
Confirm the fix the way your visitors see it
Run your domain through our free scanner to verify the new certificate is live, trusted, and serving the full chain. It checks from outside your network, so you see what real users see. Results open in a new tab.
Step 5: Make sure this never happens again
Here is the uncomfortable truth: an expired certificate does not just show a technical warning. It puts a full-page "your connection is not private" screen between your customers and your business. People who were ready to buy turn around and leave. Support tickets pile up. Your helpdesk inbox fills with "is your site down?" emails. And every visitor who sees that red warning quietly wonders whether your company can be trusted at all. The lost sales and the dent in your reputation cost far more than the certificate ever did.
The worst part is that this is one of the most preventable outages there is. An expired certificate announces itself weeks in advance. It can be caught very early, long before a single customer is affected, if something is actually watching. An expired certificate is almost always a monitoring failure, not a cryptography failure: someone got a reminder, or an automation ran, and the signal was missed. The fix is structural, not technical.
Three practices that prevent the next expiry:
- Alerts go to a team, not a person. A shared Slack channel or PagerDuty service survives turnover; a personal email doesn't.
- External monitoring catches what internal monitoring misses. Your renewal script can report success while the deployed certificate is still the old one. External checks verify what real users see.
- Multi-tier alerts. 30 days, 14 days, 7 days, 3 days, 1 day. The early ones are reminders; the late ones are emergencies. Don't rely on a single "expires in 30 days" email.
Stop this from happening again
TLS Radar continuously monitors every certificate across your domains and alerts you weeks before anything expires, and also catches the silent failure modes (chain breaks, weak ciphers, hostname mismatches) that expiry-only monitoring misses. Built for solo developers monitoring a handful of sites and for enterprise teams managing thousands of certificates across multiple environments.
If the browser warning persists after renewing
Two common culprits:
- CDN caching - the CDN is still serving the old certificate. Force a cache invalidation, or wait for natural cache expiry (5–10 minutes typically).
- Chain validation - the new certificate is fine, but the intermediate chain isn't being sent. Run
openssl s_clientagain and confirm the chain length. If only one certificate appears, your server is missing intermediates.
Related reading
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.