When an SSL certificate expires, nothing degrades gracefully. The site does not get slower or show a small warning in the corner. Browsers throw a full-page interstitial that almost nobody clicks through, API clients refuse the connection outright, and anything doing strict TLS verification, payment processors, mobile apps, server-to-server calls, simply stops. The failure is total, and it starts the moment the clock passes the certificate's not-after date.

If you are reading this because a certificate just lapsed, the next few minutes matter. Here is what is happening and how to get back up.

What an Expired Certificate Actually Breaks

A browser hitting an expired cert shows NET::ERR_CERT_DATE_INVALID (or the equivalent) and blocks the page behind a warning. Some users will click through; most will leave and assume the site is broken or unsafe.

The quieter damage is everything that is not a browser. API clients, SDKs, webhooks, and mobile apps usually verify certificates strictly and have no "proceed anyway" button. They just fail. A payment gateway stops mid-transaction, a mobile app cannot reach its backend, a scheduled job that calls an internal API starts throwing TLS errors. Because these clients fail silently rather than showing a warning, the expiry often surfaces as a pile of unrelated-looking incidents before anyone connects them to one lapsed certificate.

First, Confirm It Is Really Expiry

Not every TLS error is an expired certificate. A missing intermediate, a hostname mismatch, or a clock skew on the client can all look similar from the outside. Before you renew anything, confirm what actually broke. You can check the certificate on any hostname to see the exact expiry date, days remaining, hostname coverage, and chain, which rules out a chain or hostname problem masquerading as expiry. Check from outside your network, not from a desktop browser that may have cached an old certificate or intermediate.

Fix It: Renew, Then Actually Deploy

The fix is two steps, and teams routinely do only the first.

  1. Renew the certificate. If you use an ACME client like Certbot with Let's Encrypt, trigger a renewal and check that it succeeded this time. If you buy certificates from a commercial CA, reissue and download the new cert plus its intermediate chain.
  2. Deploy it everywhere the old one lived. This is where outages persist. A certificate is often served from more than one place: several web nodes behind a load balancer, a separate API gateway, a mail server, a reverse proxy. Renewing on one box while a load balancer still serves the old cert changes nothing for visitors. Install the new certificate and its full chain on every endpoint that terminates TLS, then reload the service so it picks up the new file. The goodtls.com TLS configuration guides cover where each server expects the certificate and chain to live.

Verify the Fix From Outside

Once deployed, do not trust your own browser, it caches aggressively. Re-check the hostname from an external tool and confirm the new not-after date, then repeat for every endpoint and every name on the certificate (each SAN, the apex, and any www or API subdomains). An expired wildcard or multi-domain cert can leave one hostname fixed and another still broken. Our SSL certificate renewal checklist walks through the full verify-and-deploy sequence.

Why Certificates Expire Unnoticed, and How to Stop It

Expired-cert outages are almost never a surprise in hindsight. The renewal cron failed quietly weeks ago. The certificate lived on a host nobody owns anymore. Short-lived certificates rotate every few weeks now, so the margin for a silent failure is thinner than it used to be. The common thread is that no one was watching the not-after date.

The durable fix is to stop relying on memory. SSL certificate monitoring tracks the expiry date on every certificate you serve, across public endpoints and internal hosts, and alerts you with days or weeks of lead time instead of the morning it lapses. It also catches the failures that are not expiry at all: a dropped intermediate, a hostname the cert no longer covers, a weak key. The spot check above tells you where you stand right now; monitoring is what keeps you from reading this post again next quarter.

Back to Blog