Discovering your SSL certificate has unexpectedly expired can feel like a mini-disaster, especially for solo developers managing VPS or bare-metal servers without dedicated support. Don’t panic—here's exactly how to get your HTTPS back online quickly and ensure it doesn't happen again.
Step 1: Confirm Your SSL Certificate Expiration
First, confirm that the issue is indeed an expired SSL certificate. You can check this quickly in your browser or using a terminal command:
openssl s_client -connect example.com:443 -showcerts | openssl x509 -noout -dates
Look for the notAfter date to confirm the expiration.
Step 2: Check if Renewal Occurred but Server Didn't Reload
Before attempting renewal, verify whether your SSL certificate might have been renewed but not yet loaded by your web server:
- If you're using Certbot, run:
sudo certbot certificates
- If you're managing certificates manually (not using Certbot), you'll need to inspect your certificate files directly using OpenSSL:
openssl x509 -in /path/to/your/certificate.crt -noout -dates
If you're unsure where your certificate files are stored, consult your web server's configuration files (e.g., Apache's httpd.conf or Nginx's nginx.conf) to find their paths.
If either method shows a valid (non-expired) certificate, simply reload your web server to apply the updated certificate:
sudo systemctl reload apache2
# or
sudo systemctl reload nginx
If the certificate is truly expired, proceed to immediate renewal.
Step 3: Immediately Renew or Reissue Your Certificate
Depending on your setup, renewing your SSL certificate can vary:
If you purchased your certificate: You may need to visit your certificate provider's website or control panel to download a new certificate. After downloading, you'll manually replace the old certificate files on your server and reload your web server to apply the changes.
Using Certbot: Run the renewal command immediately:
sudo certbot renew
If you encounter problems, you might need to force renewal:
sudo certbot certonly --force-renewal -d example.com -d www.example.com
Once renewed, reload your web server:
sudo systemctl reload apache2
# or
sudo systemctl reload nginx
You should ensure that you restart your server as part of certificate renewal automation in the future, it's a common gotcha.
Step 4: Verify HTTPS is Restored
Double-check your browser by clearing your cache and visiting your site again. You can also run:
openssl s_client -connect example.com:443
You should no longer see warnings related to expired certificates.
Step 5: Set Up Automated Renewals to Avoid Future Expiration
Automating your SSL certificate renewal ensures you won't be caught off guard again. Certbot, acme.sh, and Caddy are the most common ways to automate SSL certificate renewal. If you were already using Certbot or acme.sh, you can verify that their scheduled tasks are running:
- Certbot: Most workflows set up a renewal cron job or systemd timer upon first issuance. Verify their existence:
systemctl list-timers certbot.timer
# or
crontab -l | grep certbot
- acme.sh: Ensure automatic cron tasks are installed correctly:
crontab -l | grep acme.sh
If the renewal jobs are properly scheduled but the renewal still failed, it's crucial to identify and resolve the root cause. Otherwise, the issue will recur. Check out our detailed guide Why Let’s Encrypt Auto-Renewal Fails Sometimes to identify and fix potential renewal issues.
Step 6: Implement External Monitoring and Alerts
Since Let’s Encrypt no longer sends expiration emails, it’s crucial to use external monitoring services like CertNotifier to ensure you stay protected when auto-renewal inevitably fails. See our article on the Top SSL Certificate Monitoring Tools to learn more.