All fix guides
CriticalSecurity & HTTPS

Fix an Expired or Invalid SSL Certificate

An expired, invalid, or soon-to-expire TLS/SSL certificate breaks the secure connection between browsers and your server. Visitors hit a full-page "Your connection is not private" warning, Googlebot and AI crawlers get blocked at the handshake, and HTTPS-dependent features stop working. This is a critical, time-sensitive problem. Fix it by renewing or reissuing the certificate, installing the full chain, and enabling auto-renewal so it never lapses again.

What this means

Your site serves HTTPS using a TLS certificate (still commonly called an "SSL certificate") that a browser will not trust. The audit flags this in one of three states:

  • tls_cert_expired — the certificate passed its "Not After" date. It is dead, and every visitor sees a security interstitial.
  • tls_cert_invalid — the certificate is wrong even if it hasn't expired. Common causes: the hostname doesn't match the certificate's Common Name or Subject Alternative Names (e.g. the cert is for example.com but you serve www.example.com), the chain of trust is incomplete (missing intermediate certificate), the cert is self-signed, or it was issued by an untrusted or revoked authority.
  • tls_cert_expiring — the certificate is still valid but its expiry date is close (typically within about 14 to 30 days). This is an early warning so you can renew before it becomes an outage.

Every certificate has a fixed lifetime. Let's Encrypt certificates currently last 90 days. Commercial certificate lifetimes have been cut sharply: as of March 2026 the CA/Browser Forum caps new public TLS certificates at roughly 200 days, down from about 398, and that maximum keeps dropping in the years ahead. When the validity window closes, or the certificate doesn't match your domain and chain, the TLS handshake fails and the browser refuses to load the page over HTTPS.

Why it matters

This is one of the few issues that can take your whole site offline for real users, not just degrade it.

User trust and traffic. An expired or invalid cert triggers a full-page browser interstitial: "Your connection is not private" with NET::ERR_CERT_DATE_INVALID in Chrome, or "Warning: Potential Security Risk Ahead" (SEC_ERROR_EXPIRED_CERTIFICATE) in Firefox. Most people never click through. Conversions, signups, and sales stop instantly.

Google rankings. HTTPS is a confirmed, if lightweight, ranking signal, but the bigger damage is indirect. Googlebot can't fetch pages it can't securely connect to, so recrawling stalls, new content isn't indexed, and existing pages can start dropping out of the index. A prolonged outage looks to Google like a site-wide availability failure. Anything that depends on the page loading also breaks: Core Web Vitals field data, structured-data parsing, and sitemap fetches.

AI answer engines. ChatGPT browsing, Perplexity, Google AI Overviews, and other AI crawlers (GPTBot, PerplexityBot, ClaudeBot, Google-Extended) fetch over HTTPS just like Googlebot. An untrusted certificate blocks them at the handshake, so your content silently drops out of the corpus these engines cite, with no error shown to you. A valid cert is a baseline requirement for being visible to answer engines.

Downstream breakage. If HSTS is enabled, the browser hard-blocks the site with no click-through once the cert fails. Mixed-content protections, service workers, Secure cookies, and any integration that requires a valid TLS endpoint stop working too.

Because the impact is immediate and total, treat this as an emergency, not a backlog item.

How to fix it

  1. 1

    1. Confirm exactly what's wrong

    Diagnose the specific failure before renewing blindly. Open the site in Chrome, click the padlock or warning, and view the certificate to see the expiry date and the domains it covers. From a terminal, run echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates -subject -issuer to print the validity dates, subject, and issuer. Use SSL Labs (ssllabs.com/ssltest) for a full report including chain completeness. This tells you whether you need a renewal (expired), a reissue with the right hostnames (invalid CN/SAN), or just the intermediate chain installed.

  2. 2

    2. Renew or reissue the certificate

    If it simply expired, renew it. With Let's Encrypt, run certbot renew (or certbot renew --force-renewal to renew early). For a commercial cert, log into your CA (DigiCert, Sectigo, GoDaddy, and so on), renew the order, complete domain validation (usually an HTTP file or DNS TXT record), and download the new files. If the cert is invalid because the domain doesn't match, reissue it with the correct hostnames. Include both the apex and www (for example example.com and www.example.com), or use a wildcard *.example.com if you have many subdomains.

  3. 3

    3. Install the certificate with the full chain

    A very common 'invalid' cause is a missing intermediate certificate: the leaf cert is fine, but browsers can't build a path back to a trusted root. Always install the full chain (leaf plus intermediate bundle), not just the leaf. On Nginx, point ssl_certificate at the fullchain file. On Apache, set SSLCertificateFile to the cert and, on older versions, SSLCertificateChainFile for the intermediates (Apache 2.4.8+ reads the intermediates from a combined SSLCertificateFile bundle). Restart the web server and re-test with SSL Labs, aiming for a report showing a complete, trusted chain with no 'extra download' warning.

  4. 4

    4. Turn on auto-renewal so it never lapses again

    Most expired-cert incidents are pure process failures: nobody renewed in time. Let's Encrypt and Certbot install a systemd timer or cron job by default. Verify it with systemctl list-timers | grep certbot and test a dry run using certbot renew --dry-run. Managed platforms (Cloudflare, Vercel, Netlify, Shopify, Wix, Squarespace, AWS ACM) auto-renew for you as long as DNS still points at them. For manually managed commercial certs, set a calendar reminder well before expiry and add an external monitor that emails you when the cert is within about two weeks of expiring. Shorter certificate lifetimes make automation essential, not optional.

  5. 5

    5. Verify HTTPS end-to-end and clear caches

    After the new cert is live, load the site in a fresh incognito window and confirm the padlock shows with no warning. Re-check that both https://example.com and https://www.example.com resolve cleanly, since the invalid state often affects only one hostname. If you use a CDN or reverse proxy (Cloudflare, Fastly), make sure the edge certificate and the origin certificate are both valid. A valid edge cert with an expired origin cert still breaks in Cloudflare's 'Full (strict)' SSL mode. Finally, in Google Search Console, use URL Inspection and 'Test Live URL' to confirm Googlebot can now fetch the page.

Example

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;   # force HTTPS
}

server {
    listen 443 ssl;
    http2 on;
    server_name example.com www.example.com;

    # fullchain.pem = leaf certificate + intermediate CA bundle
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    # ... rest of your config
}

# Certbot's systemd timer renews and reloads automatically. Verify with:
#   sudo certbot renew --dry-run
#   systemctl list-timers | grep certbot

Nginx: serve the full certificate chain and redirect HTTP to HTTPS. Point ssl_certificate at the fullchain file (leaf plus intermediates), not just the leaf, to avoid 'invalid chain' errors.

Platform-specific steps

Let's Encrypt / Certbot (self-managed servers)

Run sudo certbot renew to renew all certs (add --force-renewal to renew early). Confirm the auto-renew timer exists with systemctl list-timers | grep certbot and test it via certbot renew --dry-run. If a cert is invalid because it's missing a domain, reissue with certbot --nginx -d example.com -d www.example.com. Always reference the fullchain.pem file so the intermediate chain is served.

Cloudflare

Cloudflare provisions and auto-renews the edge (Universal SSL) certificate for free, so the browser-facing cert rarely expires. Most 'invalid cert' errors here come from the origin: in SSL/TLS -> Overview, if the mode is 'Full (strict)', your origin server must present a valid, non-expired cert. Install a free Cloudflare Origin Certificate (SSL/TLS -> Origin Server) on your web server, or renew the origin's own cert. Check SSL/TLS -> Edge Certificates to confirm the Universal cert is active.

Shopify / Wix / Squarespace

These fully managed platforms provision and auto-renew SSL for you, so you never touch certificate files. If SSL shows as expired or pending, it's almost always a DNS problem: the domain's A/CNAME records must point at the platform for it to issue the cert. In the domain settings, disconnect and reconnect the domain (or re-point DNS to the platform's records), then wait for the certificate to reprovision, which can take up to 48 hours. Contact platform support if it stays 'pending' beyond that.

Vercel / Netlify (Next.js and static hosts)

Both issue and auto-renew Let's Encrypt certificates once your domain is added and its DNS points to the platform. If the cert is invalid, open the project's Domains settings and check for a DNS or verification error, usually a stale CNAME or a CAA record blocking Let's Encrypt. Fix the DNS record, then trigger a re-verification; the certificate reissues within minutes. No server config or Certbot needed.

AWS (ACM + CloudFront / ELB)

Use AWS Certificate Manager (ACM) for public certs. ACM auto-renews them as long as the domain-validation DNS CNAME records stay in place, so never delete those Route 53 records. If a cert is 'invalid', check that ACM shows status 'Issued' and that it's actually attached to your CloudFront distribution or load balancer listener. Certs imported into ACM from a third party do NOT auto-renew; replace those before expiry. ACM certs used with CloudFront must be created in us-east-1.

Free tool
Check this with the Security Checker

Frequently asked

What's the difference between an SSL certificate and a TLS certificate?

They are the same thing in everyday use. SSL is the old protocol, deprecated years ago and replaced by TLS. The certificates you install are technically TLS certificates, but the industry still calls them 'SSL certificates' out of habit. Your audit code (tls_cert_*) uses the accurate term. Nothing you do differs based on which name you use.

My certificate isn't expired, so why is the audit calling it invalid?

'Invalid' covers problems beyond expiry. The most common are a hostname mismatch (the cert covers example.com but you serve www.example.com, or the reverse), a missing intermediate or chain certificate so browsers can't verify trust, a self-signed certificate, or a cert from an untrusted or revoked authority. Run an SSL Labs test, which names the exact fault, most often a missing chain or a SAN that doesn't include the hostname you're using.

How do I stop my SSL certificate from expiring again?

Automate renewal and monitor it. Let's Encrypt certs (90-day lifetime) should renew automatically via Certbot's systemd timer or cron; verify with certbot renew --dry-run. Managed hosts like Cloudflare, Vercel, Netlify, Shopify, Wix, and Squarespace renew automatically as long as your DNS still points at them. For manual commercial certs, set a reminder weeks ahead and add an external uptime/SSL monitor that alerts you before expiry. Because certificate lifetimes are shrinking industry-wide, manual renewal is increasingly impractical.

Does an expired SSL certificate hurt my Google rankings?

Yes, mostly indirectly. HTTPS is a minor direct ranking signal; the real harm is that Googlebot can't securely fetch your pages, so recrawling and indexing stall and, over a prolonged outage, pages can drop from the index. Users also bounce off the browser warning, which sends poor engagement signals. Because the fix is fast, there's usually no lasting ranking loss if you renew promptly.

Will a broken certificate affect ChatGPT, Perplexity, and AI Overviews?

Yes. AI crawlers such as GPTBot, PerplexityBot, ClaudeBot, and Google-Extended fetch over HTTPS just like Googlebot. An untrusted or expired certificate fails the TLS handshake and blocks them entirely, so your content silently drops out of the sources these engines read and cite, with no error surfaced to you. A valid cert is a baseline requirement for being visible to answer engines.

Does your site have this issue?

Run a free, AI-powered audit and we’ll flag this and 150+ other checks in about a minute. No signup.

No signup needed. Results in under 60 seconds.

Related fixes