Back to blog

What Happens When Your SSL Certificate Expires

·5 min read
sslmonitoringsecurityeducational

The browser warning from hell

You've seen it. That full-screen red warning: "Your connection is not private." With a tiny "Advanced" link that most users will never click.

That's what your users see when your SSL certificate expires. Not a gentle nudge. A wall that says "this site might be dangerous" and actively discourages people from continuing.

Most users will close the tab and never come back.

What actually breaks

An expired SSL certificate causes a cascade of problems:

1. Browsers block your users

Chrome, Firefox, Safari, and Edge all show interstitial warnings for expired certs. The exact wording varies but the message is the same: "don't trust this site." Some browsers make it difficult to bypass the warning on purpose.

For most users, an expired cert is indistinguishable from a hacked website.

2. API calls start failing

If your API uses HTTPS (it should), an expired certificate causes SSL handshake failures. Every client that validates certificates - which is the default behavior - will refuse to connect.

This means:

  • Mobile apps stop working
  • Webhook deliveries fail
  • Third-party integrations break
  • Internal service-to-service calls crash

One expired certificate can cascade through your entire infrastructure.

3. SEO takes a hit

Google has used HTTPS as a ranking signal since 2014. An expired certificate effectively makes your site "not HTTPS" in Google's eyes. If the cert stays expired long enough for Google to recrawl your pages, you can lose ranking positions that took months to build.

4. Trust evaporates

Even after you renew the certificate, users who saw the warning remember it. "That sketchy site with the security warning" is a hard reputation to shake, especially for a product that handles sensitive data.

Why it keeps happening

If expired certs are so bad, why do they still happen? A few reasons:

Let's Encrypt certs expire every 90 days. They're free, which is great, but the short lifespan means auto-renewal needs to work perfectly. One misconfigured cron job and you're down.

In small teams, nobody owns the renewal process. It falls into this gap between "developer stuff" and "ops stuff" where everyone assumes someone else is handling it. DNS changes make it worse - switch your DNS provider or update records and the domain validation for auto-renewal can break silently. The cert renews fine for months, then suddenly doesn't.

And if you run multiple services, you might have separate certs for your main domain, API subdomain, staging environment, status page, and email domain. Each with a different expiry date. Good luck tracking all of those manually.

How to prevent it

Option 1: Let's Encrypt + auto-renewal (and monitor it)

Let's Encrypt with certbot auto-renewal is the standard approach. But "set it and forget it" is exactly how certs expire. Always monitor the auto-renewal process:

  • Set up a heartbeat monitor on your renewal cron job
  • Monitor the actual certificate expiry date separately
  • Test renewal manually at least once after any DNS or server changes

Option 2: SSL certificate monitoring

The most reliable approach is external monitoring that checks your certificate's expiry date and alerts you well in advance.

With Chirp, SSL monitoring checks your certificate and sends progressive alerts:

  • 30 days before expiry
  • 14 days before
  • 7 days before
  • 3 days before
  • 1 day before

That's 5 chances to catch it before it expires. Even if auto-renewal is working, the monitoring acts as a safety net.

Option 3: Managed SSL from your hosting provider

Platforms like Vercel, Netlify, and Cloudflare handle SSL automatically. This is the lowest-effort option, but it only covers the domains hosted on that platform. APIs, email services, and custom domains might still need separate certificates.

What to do if it already expired

If your cert is already expired, here's the priority list:

  1. Renew immediately. Run certbot renew or update through your provider's dashboard. This usually takes under a minute.

  2. Verify it's working. Open your site in an incognito window. Browser caching can mask an expired cert.

  3. Check your APIs and integrations. They may need to reconnect after the renewal. Some clients cache the old (expired) certificate.

  4. Post an incident update if you have a status page. Your users saw the warning. Acknowledge it and confirm it's fixed.

  5. Set up monitoring so it doesn't happen again.

Don't wait for the warning

SSL monitoring takes 2 minutes to set up and costs nothing on Chirp's free tier. That's 2 minutes versus a day of lost traffic, broken integrations, and damaged trust.

Set up SSL monitoring with Chirp - you'll get alerts 30 days before any certificate expires.

Try Chirp free

Status pages, uptime monitoring, and SSL checks. No credit card required.

Get started free