Discovering your SSL certificate has expired unexpectedly can feel like a nightmare, especially for solo developers managing VPS or bare-metal servers on their own. Don't panic! Here's how to get your server back online quickly and ensure it doesn't happen again.
Step 1: Confirm Your SSL Certificate Expiration
First, confirm that the issue is indeed an expired SSL certificate. Note that browsers will display the dreaded "Your connection is not private" message for reasons other than an actual expiration, such as a misconfigured system clock, so double check the listed reason for failure, or use a terminal command:
openssl s_client -connect example.com:443 -showcerts | openssl x509 -noout -dates
Look for the notAfter date to confirm the expiration.
Step 2: Check if Renewal Already Occurred but Server Didn't Pick it Up
Many servers only load certificate files once at boot, and need to be restarted after certificate renewal.
Before renewing your certificate, verify whether it might have already been renewed but just not yet loaded by your web server:
- If you're using Certbot, run:
sudo certbot certificates
Other ACME clients offer similar commands.
- If you're managing certificates manually, you can inspect your certificate directly using OpenSSL:
openssl x509 -in /path/to/your/certificate.crt -noout -dates
If you're unsure where your certificate files are stored, consult your web server's configuration files (e.g., Apache's httpd.conf or NGINX's nginx.conf) to find their paths.
If either method shows a non-expired certificate, simply reload your web server to load the updated certificate (of course the exact command will differ according to your configuration):
sudo systemctl reload apache2
# or
sudo systemctl reload nginx
If the certificate is truly expired, proceed to immediate renewal.
Step 3: Renew Your Certificate
Let's Encrypt certificates need to be renewed every 90 days, while premium certificates can go for as long as 392 days between renewals.
If you purchased your certificate: You should visit your certificate provider's website or control panel to download a new certificate. After downloading, you'll manually replace the old certificate files on your server and reload your web server to apply the changes.
If you're using Certbot: Simply run the renewal command:
sudo certbot renew
Once renewed, reload your web server as indicated in Step 2.
You should ensure that you always restart your server as part of certificate renewal automation in the future, it's a common gotcha.
Step 4: Verify HTTPS is Restored
Visit your site in a browser to see that, hopefully, your issue is resolved! If not, try clearing your cache or holding shift while refreshing.
Alternatively, you can run:
openssl s_client -connect example.com:443
If there's still an issue, double check the paths that your server is loading certificates from.
Step 5: Set Up Automated Renewals (if possible)
Yay, you're back online 🎉 but there's still a few things you need to do before celebrating.
If you were already using Certbot or acme.sh, you should verify that their scheduled tasks are running, and, of course, that your servers are set up to restart on successful renewal:
- Certbot: Certbot will create either a cron job or a systemd timer upon first issuance depending on your particular configuration.
systemctl list-timers certbot.timer
# or
crontab -l | grep certbot
- acme.sh: Ensure automatic cron tasks are installed correctly:
crontab -l | grep acme.sh
If the renewal jobs are properly scheduled but the renewal still failed, it's crucial to identify and resolve the root cause, or else you'll be back here in a few months. Check out our detailed guide, Why Let's Encrypt Auto-Renewal Fails Sometimes, to identify and fix potential renewal issues.
If you're using premium certificates it's much more challenging to automate. I would just keep doing it manually unless you're running a lot of services. In that case, look in to the API offered by whoever you bought your certificates from (e.g. Namecheap.)
Step 6: Implement External Certificate Monitoring
Even the best automation fails sometimes. Security experts recommend certificate monitoring services like CertNotifier to avoid unintended downtime. See our article on the Top SSL Certificate Monitoring Tools to learn more.