Introduction Expired SSL certificates immediately break HTTPS connectivity. Browsers show security warnings, API clients reject connections, and health checks fail. This is one of the most preventable yet common production outages.

Symptoms - Browser shows "Your connection is not private" - curl returns: "SSL certificate problem: certificate has expired" - Health checks fail with SSL errors - Mobile apps cannot connect to API - Error: "CERT_HAS_EXPIRED" in application logs

Common Causes - Certificate expiration date not monitored - Auto-renewal (certbot) failed silently - Certificate chain incomplete (missing intermediate) - Load balancer not updated with new certificate - Certificate deployed to wrong server

Step-by-Step Fix 1. **Check certificate expiration': ```bash echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates ```

  1. 1.**Renew with Let's Encrypt':
  2. 2.```bash
  3. 3.certbot renew --force-renewal
  4. 4.# Verify
  5. 5.certbot certificates
  6. 6.`
  7. 7.**Update load balancer certificate':
  8. 8.```bash
  9. 9.aws acm request-certificate --domain-name example.com --validation-method DNS
  10. 10.aws elbv2 set-listener-certificates --listener-arn <arn> --certificates CertificateArn=<new-arn>
  11. 11.`

Prevention - Monitor certificate expiration with alerts (30, 14, 7 days) - Use cert-manager for Kubernetes automatic renewal - Set up ACM certificate auto-renewal for AWS - Test certificate renewal in staging - Use certificate transparency logs for discovery