Introduction

TLS fails hard when the live certificate is expired or when the server does not present a chain clients can validate to a trusted root. These issues are often conflated, but they are different failure modes. One is a renewal or deployment timing problem. The other is usually a missing intermediate certificate, wrong fullchain file, or incomplete listener configuration.

Symptoms

  • Browsers warn that the certificate is expired or not trusted
  • curl returns certificate has expired or unable to get local issuer certificate
  • Some clients fail while others appear to work because they cached intermediates differently
  • A recent renewal finished, but the public endpoint still serves the old certificate

Common Causes

  • The certificate renewed on disk, but the web server or load balancer still serves the old one
  • The full chain file is incomplete or points to the wrong intermediate certificate
  • A listener, reverse proxy, or CDN still references an older certificate object
  • Renewal automation succeeded on one node but not across the whole cluster

Step-by-Step Fix

  1. 1.Inspect the certificate the public endpoint is actually serving
  2. 2.Do not trust local files alone. Check the live endpoint and capture the validity dates and issuer chain it returns to clients.
bash
echo | openssl s_client -connect example.com:443 -servername example.com 2>nul | openssl x509 -noout -dates -issuer -subject
  1. 1.Verify the full chain file and intermediate certificates
  2. 2.A valid leaf certificate still fails if the server does not present the required intermediate chain.
bash
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /etc/nginx/ssl/server.crt
  1. 1.Renew or redeploy the certificate and reload the serving layer
  2. 2.If the certificate is expired, complete the renewal and ensure the process that terminates TLS actually reloads the new files.
bash
certbot renew --dry-run
certbot renew
  1. 1.Retest the live endpoint after reload, not just the local certificate file
  2. 2.Many incidents linger because the right file exists on disk while the old certificate is still being served by the active process.

Prevention

  • Monitor public certificate expiry from the client side, not only local renewal logs
  • Deploy the full chain consistently across web servers, proxies, and load balancers
  • Reload or rotate the serving process as part of every certificate renewal workflow
  • Audit clustered environments to ensure every node serves the same renewed certificate