What it is
SSL/TLS certificates have a validity period (e.g. 90 days for Let's Encrypt, up to 1 year for many CAs). When they expire, browsers will show a security error and users cannot access your site over HTTPS.
Why it matters
An expired certificate breaks HTTPS and damages trust. Renewing before expiry and automating renewal (e.g. certbot) avoids outages. Monitoring certificate expiry (e.g. with Barrion) gives you advance warning.
How it is exploited
When the certificate expires, browsers show a full-page interstitial. Some users click through, training them to ignore real warnings, and an attacker on the network can present their own self-signed cert and capture credentials from anyone who proceeds. Automated clients and webhooks usually fail closed, breaking integrations and login flows mid-checkout.
How to fix it
- Check expiry date. Use Barrion's certificate expiry tool or openssl to see when your certificate expires. Plan renewal at least 2 to 4 weeks before expiry.
- Renew the certificate. If using Let's Encrypt, run certbot renew (or your ACME client). For other CAs, request a new certificate and install it on your server.
- Install and reload. Install the new certificate and private key on your web server, then reload the server (e.g. systemctl reload nginx) so it serves the new cert.
- Monitor continuously. Use continuous monitoring or periodic scans to get alerts before the next expiry so you never miss a renewal.
How to verify the fix
Confirm the certificate end date with openssl:
openssl s_client -servername example.com -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -noout -enddate