🔧 Error Fixes
· 2 min read
Last updated on

SSL Certificate Expired — How to Fix It

NET::ERR_CERT_DATE_INVALID — Your connection is not private

What causes this

The SSL/TLS certificate on the server has expired. Browsers refuse to connect because an expired certificate can’t guarantee the connection is secure. This happens when:

  • The certificate wasn’t renewed before its expiry date (Let’s Encrypt certs expire every 90 days)
  • Auto-renewal was set up but failed silently (permissions, DNS changes, or the renewal service stopped)
  • The server is serving an old certificate from cache after a renewal
  • Your system clock is wrong (rare, but it happens)

Fix 1: Renew with Let’s Encrypt (Certbot)

# Renew all certificates
sudo certbot renew

# Reload your web server to pick up the new cert
sudo systemctl reload nginx
# or
sudo systemctl reload apache2

If renewal fails, try forcing it:

sudo certbot renew --force-renewal

Fix 2: Check why auto-renewal failed

# Test renewal without actually renewing
sudo certbot renew --dry-run

# Check certbot logs
sudo cat /var/log/letsencrypt/letsencrypt.log | tail -50

Common failure reasons:

  • Port 80 is blocked (Let’s Encrypt needs it for HTTP-01 challenges)
  • DNS changed and the domain no longer points to this server
  • Certbot service/timer isn’t running

Fix 3: Set up auto-renewal properly

# Check if the systemd timer is active
sudo systemctl status certbot.timer

# If not, enable it
sudo systemctl enable --now certbot.timer

# Or add a cron job as backup
sudo crontab -e
# Add this line:
0 3 * * * certbot renew --quiet --post-hook "systemctl reload nginx"

Fix 4: Check certificate expiry dates

# Check when a certificate expires
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

# Check all certbot certificates
sudo certbot certificates

Fix 5: Check your system clock

If the certificate is valid but your browser says it’s expired, your system clock might be wrong:

# Check current time
date

# Sync with NTP
sudo timedatectl set-ntp true

How to prevent it

  • Always use certbot renew --dry-run after initial setup to verify auto-renewal works
  • Set up monitoring that alerts you when a certificate is within 14 days of expiry
  • Use our SSL certificate decoder to inspect certificate details
  • If you’re behind Cloudflare or a CDN, they handle SSL for you — but check that the origin certificate is also valid

You might also like

Nginx 502 Bad Gateway — How to Fix It

Fix the '502 Bad Gateway — nginx' error. Common causes and step-by-step solutions.

Nginx: Permission Denied — 403 Forbidden — How to Fix It

Fix the '403 Forbidden — nginx' error. Common causes and step-by-step solutions.

502 Bad Gateway — What It Means and How to Fix It

Getting a 502 Bad Gateway error? Here's what's actually happening behind the scenes and how to fix it as a developer or server admin.

EADDRINUSE: Address Already in Use — How to Fix It

Getting 'Error: listen EADDRINUSE: address already in use :::3000'? Here's how to find and kill the process using that port.