TLS
Your TLS certificate has expired. Here's how to restore the site fast.
Published 2026-05-20 · Last updated 2026-05-20 · Vantyris editorial
An expired TLS certificate is the kind of outage that takes a site fully offline from the customer's perspective. Modern browsers show a full-screen warning ('Your connection is not private') with no easy 'continue anyway' button. Until you renew, you have zero traffic. The good news: most expirations are caused by a failed auto-renewal, and renewing manually takes minutes.
What this means for your business
- Every TLS certificate has an expiry date. Let's Encrypt certificates last 90 days; paid certificates typically last 12 months. Auto-renewal handles this in the background — until something breaks the cron job, the API key, or the DNS challenge.
- When the certificate expires, browsers refuse to connect. They show your visitor a security warning rather than your site. Your conversion rate goes to zero until the renewal completes.
- Most expirations are not crypto attacks; they're operational failures. The certificate auto-renewal stopped working three weeks ago and nobody noticed because the host emails went to a mailbox no one reads.
How to fix
Log into your web host or certificate manager, trigger a manual renewal, then investigate why auto-renewal failed.
- Trigger a manual renewal. Most hosts have a 'Renew now' button in the SSL section of their control panel. Cloudflare's certificate is managed for you and rarely expires; if it does, the issue is at your origin server's certificate, not Cloudflare's edge. Identify which certificate expired (origin vs edge) before chasing the wrong one.
- If the host UI doesn't help, use the command line. If you're using certbot (the most common Let's Encrypt client), run `sudo certbot renew --force-renewal` on the server. Then reload your web server: `sudo systemctl reload nginx` or `apache2`.
- Verify. Visit your site in an incognito window. The browser warning should be gone, the padlock should appear. Run a Vantyris scan or ssllabs.com/ssltest to confirm the new certificate's validity period.
- Investigate why auto-renewal failed. Common causes: the renewal cron stopped firing, the ACME client lost its API key, your DNS provider changed (breaking DNS-01 challenges), or your firewall blocks port 80 (breaking HTTP-01 challenges). Fix the root cause so this doesn't happen again in 90 days.
- Set up monitoring. Enrol the target in Vantyris continuous monitoring with the 'TLS cert expires within 14 days' alert enabled. Or use a free monitor like UptimeRobot's TLS check. You should never learn about an expired cert from a customer email.
Owner: Your web host's support team, or your developer if you self-host. · Time: 30 minutes if your host supports one-click renewal; longer if you need to debug auto-renewal.
Common gotchas
- Check for the right certificate. If you're behind Cloudflare, three certificates are in play: the visitor-facing edge cert (managed by Cloudflare), the origin cert (managed by you), and any intermediate cert in the chain. An expired edge cert is rare; an expired origin cert is common.
- Some auto-renewals fail silently because the renewal email goes to a noreply mailbox or gets filtered as spam. Set the renewal-notification email to a real human's inbox.
- If you migrated to a new hosting setup recently and copied over the cert, the new server may not have the auto-renewal client installed at all.
How to verify the fix
Vantyris's `tls.cert_expired` finding clears once the new cert is live. Or paste your domain into ssllabs.com/ssltest and confirm the 'Valid until' date is at least 30 days in the future.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
How often do certificates need renewing?
Let's Encrypt: every 90 days, automatically. Paid certificates: every 12 months, usually manual unless your CA offers ACME automation. Most modern setups should be fully automated; manual renewal is a sign the setup needs upgrading.
Can I just buy a cert with a longer expiry?
No. Industry-wide, certificate lifetimes have been shortening (current cap is 398 days; proposals exist for 90-day maximums by 2027). Build for automated renewal.
Why doesn't the browser let me skip the warning?
On many sites with HSTS enabled, browsers refuse to let visitors bypass the certificate error. This is by design: HSTS says 'this domain MUST be HTTPS', and an invalid cert is treated as an attempted attack.
References
Related explainers
- HTTPS for small business: how to enable it in 15 minutes.
- HSTS: the security header that locks HTTPS on for good.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0