An expired SSL certificate blocks visitors with a browser security warning, tanks your SEO, and breaks API integrations. Paste your URL to check expiry date, issuer, and days remaining — then follow the fix for your setup.
| Setup | How to renew |
|---|---|
| Let's Encrypt (Certbot) | certbot renew — should be in a cron job already. Run manually to check. |
| cPanel hosting | cPanel → SSL/TLS → Let's Encrypt AutoSSL → Run AutoSSL |
| Cloudflare | Cloudflare manages the edge cert. Check origin cert under SSL/TLS → Origin Server |
| AWS ACM | ACM certs auto-renew if DNS/email validation is still valid. Check ACM console. |
| Netlify / Vercel | Managed automatically. If expired, re-add custom domain in dashboard to trigger renewal. |
| Paid CA (DigiCert etc) | Buy a new cert, generate new CSR, install on server. Don't forget to update the chain. |
| WP Engine / Kinsta | Contact support — managed hosts handle SSL. Usually resolved within hours. |
If you moved DNS to a new provider but the ACME challenge record is still at the old one, Let's Encrypt can't validate ownership. Update DNS or switch to HTTP validation.
HTTP-01 ACME challenge requires port 80 to be open. A firewall change, security group, or Cloudflare proxy configuration can silently break this.
Run certbot renew --dry-run to test. Check crontab -l and /etc/cron.d/certbot for the renewal job.
Let's Encrypt's old root cert (DST Root CA X3) expired in 2021 and broke old Android/OpenSSL versions. Update your system's trust store if you see this.
Auto-renew silently fails. The email reminder goes to an inbox nobody checks. The cert was manually installed and the team forgot. All common, all preventable.
UptimeRobot (free tier) monitors SSL expiry and alerts by email. StatusCake, Better Uptime, and Freshping also have free SSL monitoring tiers.
Set alerts at 30 days and 7 days remaining. Let's Encrypt won't renew until 30 days before expiry — so the 30-day alert is when auto-renew should trigger. If it doesn't, you have time to fix it manually.
Yes — Google may stop crawling HTTPS pages with invalid certs. More immediately, the browser warning drives away 90%+ of visitors who see it.
Yes. Let's Encrypt provides free 90-day certificates. Cloudflare provides a free edge certificate for any site proxied through them. Most hosting panels now offer free AutoSSL.
Let's Encrypt issues 90-day certificates by design — short validity forces automation and reduces the window of compromised cert misuse. Paid CAs still offer 1-year certs.