Introduction

An expired SSL certificate breaks trust immediately. Browsers warn users, APIs may refuse connections, and monitoring often flips red even if the underlying site is otherwise healthy. The fastest fix is not only renewing the certificate, but making sure the renewed certificate is actually the one being served.

Symptoms

  • Browsers display a certificate expired warning
  • API clients or webhooks refuse the HTTPS connection
  • SSL monitoring reports an expired leaf certificate
  • A renewed certificate exists on disk but the public site still shows the old one
  • The error started after an auto-renewal job failed or a hosting move changed certificate paths

Common Causes

  • Automatic renewal never ran or failed silently
  • The new certificate was issued but not deployed to the live service
  • A load balancer, CDN, or secondary proxy still serves the old certificate
  • The server time or certificate chain is wrong enough to make the cert appear invalid
  • Multiple virtual hosts point to different certificate files and one hostname was missed

Step-by-Step Fix

  1. Inspect the live certificate presented by the failing hostname and confirm the actual expiration date users are seeing.
  2. Check your certificate automation, hosting panel, or ACME client logs to determine whether renewal failed or deployment failed.
  3. Renew the certificate if needed, then verify the full chain and private key pair are complete and correct.
  4. Update the web server, reverse proxy, or load balancer to point to the new certificate files for the affected hostname.
  5. Reload or restart the relevant service so the active process begins serving the renewed certificate.
  6. If a CDN or edge proxy is involved, verify whether it terminates TLS itself and needs a separate certificate refresh.
  7. Test the hostname from public SSL tools and a browser session to confirm the new not-after date is now visible externally.
  8. Review system time, intermediate certificates, and SAN coverage if clients still distrust the connection after renewal.
  9. Set up renewal alerts and post-renew validation so the next expiration is caught before traffic is impacted.