critical4 min readLast updated May 22, 2026

TLS Certificate Expired: How to Fix and Prevent

An expired TLS certificate causes browser security warnings. Learn how to renew it quickly with Let's Encrypt or commercial CAs, and prevent it from happening again.

What happened?

Your TLS (HTTPS) certificate has expired. Visitors to your website now see a "Your connection is not private" or "Not Secure" warning in their browser. Most users will leave immediately rather than click through the warning.

Beyond the user experience impact, an expired certificate means:

  • Your HTTPS connection is no longer trusted
  • Some browsers and API clients will refuse to connect entirely
  • ISO 27001 and NIS2 auditors will flag it as a critical finding

Why does it happen?

TLS certificates have an expiry date (typically 90 days for Let's Encrypt, up to 1 year for commercial certificates). They do not renew automatically unless you have configured auto-renewal.

Immediate fix

For Let's Encrypt / Certbot

# Renew immediately
sudo certbot renew --force-renewal

# Restart your web server to pick up the new certificate
sudo systemctl restart nginx
# or
sudo systemctl restart apache2

For commercial certificates (DigiCert, Sectigo, etc.)

  1. Log in to your certificate provider
  2. Go to your certificate order
  3. Click Renew and follow the process (usually involves re-verifying domain ownership)
  4. Download the new certificate
  5. Install it on your web server
  6. Restart your web server

For hosting providers (Hostinger, cPanel, etc.)

  1. Log in to your hosting control panel
  2. Go to SSL Certificates
  3. Find the expired certificate and click Renew or Reissue
  4. If auto-installation is available, use it
  5. Otherwise, download the certificate and install manually

Verify the fix

After installing the new certificate:

  1. Open your domain in a browser -- the padlock should be green with no warnings
  2. Check the expiry date by clicking the padlock → Certificate details
  3. Use SSL Labs for a full certificate health check

Prevent it from happening again

If you use Let's Encrypt, certbot can renew automatically:

# Check if the certbot timer is running
sudo systemctl status certbot.timer

# Enable it if it is not
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

# Test that renewal works
sudo certbot renew --dry-run

Option 2: Use SurfaceScan monitoring

SurfaceScan monitors all your TLS certificates on every scan and alerts you 30 days before expiry -- enough time to renew without any service disruption.

How SurfaceScan helps

SurfaceScan discovers and monitors TLS certificates across all your domains and IPs, including subdomains you may have forgotten about. It flags expired certificates as critical findings and certificates expiring within 30 days as warnings in the TLS Certificates section.

Related articles

Open Ports: Which Ones Are Dangerous and How to Close Them

Not all open ports are a problem, but some should never be exposed to the internet. Learn which ports are dangerous, why, and how to close them safely.

How to Set Up DKIM for Your Domain

DKIM prevents email spoofing by adding a cryptographic signature to outgoing emails. Step-by-step setup guide for common email providers.

← Back to Help Center