Your SSL Certificate Expired: How to Fix It Fast

Your website is showing a terrifying warning. Instead of your homepage, visitors see a full-screen browser message: "Your connection is not private" or "This site's security certificate has expired." Most people will not click through that warning. They will leave immediately and may never come back.

An expired SSL certificate is one of the most urgent website problems you can face, but it is also one of the simplest to fix. This guide will walk you through the immediate steps to get your SSL renewed, resolve any lingering issues, and set up systems so this never happens again.

What Is an SSL Certificate (and Why Does It Matter)?

An SSL (Secure Sockets Layer) certificate encrypts the connection between your website and your visitors' browsers. When active, it enables HTTPS (the padlock icon in the browser's address bar). When it expires, browsers immediately flag your site as insecure.

The Impact of an Expired SSL

• Visitors see a security warning that prevents them from accessing your site
• Google may drop your rankings. HTTPS is a ranking factor, and an insecure warning signals a problem.
• Customer trust is destroyed. Even after renewal, some visitors who saw the warning may not return.
• Form submissions and payments stop working. Browsers block data transmission on insecure pages.
• Compliance violations may apply if you handle personal or financial data.

For a complete overview of how SSL works and why it matters, read our guide on SSL certificates explained and why your site needs HTTPS.

Step 1: Verify the Problem

Before troubleshooting, confirm that an expired certificate is actually the issue.

Check Your Certificate Status

In your browser:

1. Visit your website
2. Click the padlock icon (or warning icon) in the address bar
3. Click "Certificate" or "Connection is secure/not secure"
4. Look at the "Valid from" and "Valid to" dates

Using an online tool:

Use our SSL certificate checker or visit SSL Labs (ssllabs.com/ssltest) and enter your domain. This shows the full certificate details, including expiration date and any configuration issues.

From the command line:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates

Common Error Messages

• "Your connection is not private" (Chrome): The certificate has expired or is not valid
• "Warning: Potential Security Risk Ahead" (Firefox): Same issue, different browser
• "NET::ERR_CERT_DATE_INVALID": The certificate's dates are outside the valid range
• "NET::ERR_CERT_AUTHORITY_INVALID": The certificate is not from a trusted authority (different from expiration, but still an SSL issue)

Step 2: Renew Your SSL Certificate

The renewal process depends on how your SSL is set up.

Scenario A: Free SSL from Your Hosting Provider

Most modern hosting providers include free SSL certificates (usually from Let's Encrypt) that should auto-renew. If yours expired, the auto-renewal likely failed.

How to fix it:

1. Log in to your hosting control panel (cPanel, Plesk, or your host's dashboard)
2. Navigate to the SSL/TLS or Security section
3. Look for an option to reissue or renew the certificate
4. If available, click to renew/reissue the free SSL certificate
5. Wait a few minutes for the certificate to be installed

If the auto-renewal failed:

Contact your hosting provider's support. Common reasons for failure include:

• Domain verification could not be completed (DNS records changed)
• HTTP validation could not reach your server (firewall or .htaccess rules blocking the validation path)
• The hosting account has billing issues
• Let's Encrypt rate limits were hit (rare, but possible)

Scenario B: Let's Encrypt (Self-Managed)

If you manage your own server and installed Let's Encrypt certificates manually:

Renew manually:

sudo certbot renew

If that fails, force renewal:

sudo certbot renew --force-renewal

Set up auto-renewal (if not already configured):

sudo crontab -e

Add this line to renew twice daily (certbot only renews when within 30 days of expiration):

0 0,12 * * * certbot renew --quiet

Restart your web server after renewal:

sudo systemctl restart nginx
# or
sudo systemctl restart apache2

Scenario C: Paid SSL Certificate

If you purchased an SSL certificate from a certificate authority (DigiCert, Comodo, GoDaddy, etc.):

1. Log in to your certificate provider's dashboard
2. Find your expiring/expired certificate
3. Click to renew (you will likely need to pay for another term)
4. Complete the domain validation process (this varies by provider, typically email or DNS validation)
5. Download the renewed certificate files
6. Install the certificate on your server or through your hosting panel

Scenario D: Cloudflare or CDN-Provided SSL

If you use Cloudflare or another CDN that provides SSL:

1. Log in to your Cloudflare dashboard
2. Go to SSL/TLS settings
3. Check the certificate status
4. If the edge certificate has expired, Cloudflare should reissue it automatically. If it has not, check your domain's DNS settings and make sure your nameservers still point to Cloudflare.
5. For origin certificates (between Cloudflare and your server), generate a new origin certificate in the Cloudflare dashboard.

Step 3: Verify the Fix

After installing the renewed certificate, confirm everything is working.

Immediate Checks

1. Visit your website in a fresh browser window (or clear your cache). You should see the padlock icon without any warnings.
2. Check on multiple browsers. Test Chrome, Firefox, Safari, and Edge if possible.
3. Test on mobile devices. Some mobile browsers handle certificates differently.
4. Run an SSL test. Use SSL Labs (ssllabs.com/ssltest) to verify the certificate is properly installed and configured.

Check for Certificate Chain Issues

Sometimes the certificate itself is renewed, but the intermediate certificates (the "chain") are not properly installed. This causes errors in some browsers but not others.

SSL Labs will flag this as an "Incomplete chain" issue. To fix it:

1. Download the complete certificate chain from your certificate provider
2. Install the intermediate certificates alongside your primary certificate
3. Verify with SSL Labs again

Step 4: Fix Mixed Content Warnings

Even after renewing your SSL, you may see a "Not fully secure" warning or a broken padlock icon. This means your HTTPS page is loading some resources (images, scripts, stylesheets) over HTTP.

How to Find Mixed Content

In Chrome:

1. Open Developer Tools (F12)
2. Go to the Console tab
3. Look for "Mixed Content" warnings that identify specific resources loading over HTTP

Using an online scanner:

Tools like "Why No Padlock?" (whynopadlock.com) scan your page and list all insecure resources.

How to Fix Mixed Content

Step 1: Update URLs in your CMS. In WordPress, go to Settings > General and make sure both URLs use https://.

Step 2: Search and replace HTTP URLs. Use a plugin like Better Search Replace (WordPress) to change all http://yourdomain.com references to https://yourdomain.com in your database.

Step 3: Update hardcoded URLs in theme files. Search your theme's template files for any hardcoded http:// URLs and change them to https:// (or use protocol-relative URLs: //yourdomain.com).

Step 4: Add a Content Security Policy header. As a safety net, you can tell browsers to automatically upgrade HTTP requests to HTTPS:

Header always set Content-Security-Policy "upgrade-insecure-requests"

Step 5: Check third-party resources. External scripts, images, and embeds must also use HTTPS. If a third-party resource does not support HTTPS, you may need to find an alternative or host the resource yourself.

Step 5: Set Up Auto-Renewal and Monitoring

The best way to deal with an expired SSL certificate is to prevent it from expiring in the first place.

Enable Auto-Renewal

Hosting provider SSL: Most hosting providers auto-renew free SSL certificates. Verify this is enabled in your hosting control panel. If you are unsure, contact your provider.

Let's Encrypt: The certbot tool should be configured with a cron job or systemd timer for automatic renewal. Verify your auto-renewal is working:

sudo certbot renew --dry-run

Paid certificates: Set up auto-renewal with your certificate provider if available. Keep your payment method current to avoid failed renewals due to billing issues.

Set Up Expiration Monitoring

Even with auto-renewal, monitoring provides a safety net.

Free monitoring options:

• UptimeRobot (uptimerobot.com): Free tier monitors your site and alerts you to SSL issues
• SSL Certificate Expiry Monitor browser extensions
• Google Search Console: Will notify you of SSL issues affecting your indexing

Calendar reminders: Set a calendar reminder for 30 days before your certificate's expiration date. This gives you time to investigate if auto-renewal fails.

Choose the Right SSL Setup

If you are evaluating your SSL setup, consider these options based on your needs:

• Free Let's Encrypt (via hosting): Best for most small business websites. Auto-renews every 90 days.
• Free Cloudflare SSL: Good if you are already using Cloudflare for CDN/security.
• Paid DV (Domain Validation) SSL: Similar to free options but with longer validity periods (1 year) and vendor support.
• Paid OV (Organization Validation) SSL: Includes business identity verification. Good for businesses that want additional trust signals.
• Paid EV (Extended Validation) SSL: Highest level of verification. Less common now that browsers no longer show the green bar.

For most small businesses, a free Let's Encrypt certificate through your hosting provider is the best option. It is secure, automatic, and costs nothing. For guidance on choosing a host that handles SSL well, read our guide on how to choose web hosting for small business.

Step 6: Check for SEO Impact

If your certificate was expired for more than a few hours, check for any SEO impact.

In Google Search Console

1. Check the Coverage report for any new errors related to HTTPS
2. Review the Security Issues report for any flags
3. Use the URL Inspection tool to verify Google can access your HTTPS pages
4. Check the Performance report for any traffic drops coinciding with the expiration

Recovery Steps

• If Google indexed HTTP versions of your pages during the outage, ensure your 301 redirects from HTTP to HTTPS are still in place
• Request re-indexing for any affected pages through the URL Inspection tool
• Monitor rankings for the next two weeks to confirm recovery

For a broader security framework for your website, our website security guide for small businesses covers everything from SSL to firewalls to backup strategies.

SSL Certificate Quick Reference

| Issue | Cause | Fix | |-------|-------|-----| | Certificate expired | Auto-renewal failed or was not set up | Renew through hosting panel or certificate provider | | "Not fully secure" warning | Mixed content (HTTP resources on HTTPS page) | Find and update all HTTP URLs to HTTPS | | Certificate not trusted | Self-signed or missing intermediate certificates | Install a certificate from a trusted authority with the full chain | | Certificate name mismatch | Certificate issued for a different domain | Issue a new certificate for the correct domain | | Certificate revoked | Provider revoked it (rare, usually due to compromise) | Contact your certificate provider for reissuance |

Prevention Checklist

• [ ] Enable auto-renewal for your SSL certificate
• [ ] Set up expiration monitoring (UptimeRobot or similar)
• [ ] Add a calendar reminder 30 days before expiration
• [ ] Keep your hosting account billing information current
• [ ] Test auto-renewal periodically (certbot renew --dry-run)
• [ ] Verify DNS records are correct (required for renewal validation)
• [ ] Fix all mixed content issues after renewal
• [ ] Keep your hosting provider's contact info handy for emergencies

An expired SSL certificate is alarming but fixable, usually within minutes if you know where to look. The key is acting quickly when it happens and setting up the monitoring and auto-renewal systems that prevent it from happening again. Your visitors (and Google) will never know there was a problem.