An expired SSL certificate is not a warning — it is a hard block. Browsers show a red interstitial and refuse to continue, Googlebot cannot crawl, and payment APIs return SSL errors. Even when the audit says "expires in seven days", begin renewal immediately — the process fails frequently due to misconfiguration and can take one to three days to fix.
Why this matters
Let's Encrypt certificates are valid for 90 days; auto-renewal is supposed to run during the final 30. When the audit reports "expiring in 7 days", auto-renewal has already failed for at least 23 days. The cause is usually a configuration issue (a block on /.well-known/acme-challenge/, an incorrect document root, or stale DNS). A site that goes down on SSL expiry experiences: browsers refusing to load it, mobile apps breaking on every API call, and Google removing it from the index within days. Visitors see "Not safe" and the default action is to leave.
How to detect
From the shell:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -datesThe notAfter field is the expiry date. Alternative tools: https://www.sslshopper.com/ssl-checker.html, and for full historical visibility, https://crt.sh/?q=example.com which lists every certificate ever issued for the domain.
How to fix
Scenario 1 — cPanel/AutoSSL: go to cPanel > SSL/TLS Status. Tick the domain and click "Run AutoSSL". If it fails, click "View Logs" and look for a DCV (Domain Control Validation) error. The most common fix is making sure /.well-known/acme-challenge/ is not blocked in .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^\.well-known/acme-challenge/ - [L]
</IfModule>Scenario 2 — Certbot on a VPS:
sudo certbot renew --dry-run
# If it succeeds:
sudo certbot renew
sudo systemctl reload apache2 # or nginxAdd a twice-daily cron entry so renewal is automatic:
0 0,12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"Scenario 3 — Plesk: Domains > example.com > SSL/TLS Certificates > "Issue free Let's Encrypt certificate". If active but not renewing, click "Renew certificate" manually.
Common mistakes
Mistake one: waiting until the last moment. A certificate that expires for more than 72 hours before remediation drops out of Google PageSpeed results and can take one to two weeks to recover indexing. Mistake two: renewing only the apex domain and forgetting www. or subdomains. A certificate issued only for example.com fails on www.example.com if a visitor goes directly there. Include every variant at issue time: certbot -d example.com -d www.example.com -d shop.example.com. Mistake three: assuming "Cloudflare handles SSL". Cloudflare holds the edge certificate, but the origin still needs a valid certificate — otherwise Full (Strict) mode breaks.
Verifying the fix
Run the openssl command again and confirm notAfter is at least 60 days out. Browse to the site in a private window — the lock must be intact with no warning. Re-run SSL Labs and confirm the grade is still A or A+. Add an Uptime Robot or similar SSL expiry alert configured 14 days before the next expiration.
certificatemonitor.org emails you 30 days before expiry as well.