An expiring SSL certificate is not a hidden problem. The moment it expires, every modern browser shows a giant red "Your connection is not private" interstitial and visitors hit a wall. RankPlus warns far enough in advance to allow a quiet renewal without downtime.
Why this matters
A TLS certificate encrypts traffic between browser and server. When it expires, encryption still technically works, but the browser refuses to trust the certificate and shows a warning. In practice, Chrome, Firefox and Safari fully block access without an explicit "Advanced > Proceed" click. About 95% of visitors hit Back and leave.
Other consequences: SEO - Google demotes sites with expired certificates. API and webhook integrations - external services that connect to your site reject the connection (their CA validation is strict). Payment integrations - Stripe, PayPal, payment processors require valid HTTPS.
Let's Encrypt certificates (free, popular) are valid for 90 days and must renew roughly every 60. Commercial certificates (DigiCert, Sectigo, Comodo) are valid for 12 or 24 months. If monitoring warns about a certificate expiring in less than 30 days, the auto-renewal did not happen - and that is what to find and fix.
How to detect
RankPlus connects to the site's HTTPS endpoint, reads the certificate during the handshake and inspects the Not After field. Less than 30 days triggers an alert. Manually:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -datesOr use https://www.ssllabs.com/ssltest/ which displays expiry plus a full grading.
How to fix
- Let's Encrypt via a hosting panel (cPanel/Plesk/DirectAdmin): visit SSL/TLS > Let's Encrypt. Check Auto-renew status; if off, enable it. Click Renew Now or Force Renewal to renew immediately.
- certbot on a VPS: run
sudo certbot renew --dry-runto confirm the renewal works. The output shows "Cert not yet due for renewal" (good) or an error. On error, runsudo certbot renew --force-renewal. - If the cause is a blocked ACME challenge: a common issue. Ensure
/.well-known/acme-challenge/is reachable over HTTP (not force-redirected to HTTPS). In.htaccess:
The first RewriteCond exempts the challenge path.RewriteEngine On RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/ RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] - Behind Cloudflare/CDN: there are two certificates - one at the origin and one at the Cloudflare edge. Both must be valid. A Cloudflare Origin Certificate is valid for 15 years - recommended.
- Commercial certificate: log in to the issuer (DigiCert, Sectigo) and renew there. You receive a CSR file to upload to the server.
- Verify the result:
https://www.ssllabs.com/ssltest/should show a fresh expiry (at least a year for commercial, 90 days for Let's Encrypt) and an A or A+ grade. - Schedule a cron renewal if you manage your own VPS:
It attempts renewal every day at 03:00 and exits silently when nothing is due.0 3 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"
Common mistakes
- Skipping domain validation: Let's Encrypt validates ownership via HTTP-01 (a temporary file) or DNS-01 (a TXT record). If you recently changed DNS without waiting for propagation, validation fails.
- Certificate not covering all subdomains: a cert for
example.comdoes not coverwww.example.com. Include www or use a wildcard. - Server IP changed without DNS update: if DNS still points to the old IP, ACME challenge fails.
- Mixed content: even with a valid cert, hardcoded
http://assets trigger browser warnings. Usehttps://or relative URLs. - Not backing up a commercial certificate: when renewing a commercial cert, save the private key. The issuer may not allow you to download it twice.
Verifying the fix
Open the site in Chrome - you should see a green/grey padlock (not red). Click it - the new expiry is shown. Run ssllabs.com - aim for A+. RankPlus turns green on the next scan cycle (24 hours).
acme-v02.api.letsencrypt.org.