Skip to main content
Vantyris

TLS

Your TLS certificate has expired. Here's how to restore the site fast.

Published 2026-05-20 · Last updated 2026-05-20 · Vantyris editorial

An expired TLS certificate is the kind of outage that takes a site fully offline from the customer's perspective. Modern browsers show a full-screen warning ('Your connection is not private') with no easy 'continue anyway' button. Until you renew, you have zero traffic. The good news: most expirations are caused by a failed auto-renewal, and renewing manually takes minutes.

What this means for your business

How to fix

Log into your web host or certificate manager, trigger a manual renewal, then investigate why auto-renewal failed.

  1. Trigger a manual renewal. Most hosts have a 'Renew now' button in the SSL section of their control panel. Cloudflare's certificate is managed for you and rarely expires; if it does, the issue is at your origin server's certificate, not Cloudflare's edge. Identify which certificate expired (origin vs edge) before chasing the wrong one.
  2. If the host UI doesn't help, use the command line. If you're using certbot (the most common Let's Encrypt client), run `sudo certbot renew --force-renewal` on the server. Then reload your web server: `sudo systemctl reload nginx` or `apache2`.
  3. Verify. Visit your site in an incognito window. The browser warning should be gone, the padlock should appear. Run a Vantyris scan or ssllabs.com/ssltest to confirm the new certificate's validity period.
  4. Investigate why auto-renewal failed. Common causes: the renewal cron stopped firing, the ACME client lost its API key, your DNS provider changed (breaking DNS-01 challenges), or your firewall blocks port 80 (breaking HTTP-01 challenges). Fix the root cause so this doesn't happen again in 90 days.
  5. Set up monitoring. Enrol the target in Vantyris continuous monitoring with the 'TLS cert expires within 14 days' alert enabled. Or use a free monitor like UptimeRobot's TLS check. You should never learn about an expired cert from a customer email.

Owner: Your web host's support team, or your developer if you self-host. · Time: 30 minutes if your host supports one-click renewal; longer if you need to debug auto-renewal.

Common gotchas

How to verify the fix

Vantyris's `tls.cert_expired` finding clears once the new cert is live. Or paste your domain into ssllabs.com/ssltest and confirm the 'Valid until' date is at least 30 days in the future.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

How often do certificates need renewing?

Let's Encrypt: every 90 days, automatically. Paid certificates: every 12 months, usually manual unless your CA offers ACME automation. Most modern setups should be fully automated; manual renewal is a sign the setup needs upgrading.

Can I just buy a cert with a longer expiry?

No. Industry-wide, certificate lifetimes have been shortening (current cap is 398 days; proposals exist for 90-day maximums by 2027). Build for automated renewal.

Why doesn't the browser let me skip the warning?

On many sites with HSTS enabled, browsers refuse to let visitors bypass the certificate error. This is by design: HSTS says 'this domain MUST be HTTPS', and an invalid cert is treated as an attempted attack.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0