ConfigClarityGlossary › SSL Certificate Expiry

SSL Certificate Expiry

SSL certificate expiry occurs when a TLS certificate passes its validity end date, causing browsers to display security warnings and refuse HTTPS connections to the site.
SSLTLSHTTPSCertificateLet's EncryptSecurity

An SSL/TLS certificate is valid for a defined period — historically 1–2 years, and since September 2020 limited to 398 days maximum by major browsers. When a certificate expires, browsers display a full-page warning ("Your connection is not private") and most users will not proceed. The site becomes effectively inaccessible for non-technical visitors.

Certificate expiry is one of the most preventable causes of site outages. Unlike server failures, expiry is fully predictable — the date is embedded in the certificate itself and visible months in advance.

Common Causes of Missed Expiry

Auto-renewal failures are the most common cause. Let's Encrypt certificates expire every 90 days and require a working certbot or ACME renewal cron job. If the renewal job silently fails (wrong path, DNS mismatch, rate limit hit), the certificate expires without warning. CDN-fronted domains (Cloudflare, Fastly) have their own certificate lifecycle separate from the origin cert — many operators monitor only one of the two.

The 200-Day Warning Standard

ConfigClarity's SSL Checker flags certificates expiring within 200 days — not the standard 30-day window. This gives enough time to diagnose and fix renewal pipeline failures before the 30-day critical window. Let's Encrypt certificates issued today will expire in ~89 days if auto-renewal breaks immediately.

Related Tools

SSL Checker →

Fix Guides

SSL expiry monitoring fixNginx SSL renewal fixTraefik SSL renewal fix

Frequently Asked Questions

How long are SSL certificates valid?
Since September 2020, browser-trusted TLS certificates are valid for a maximum of 398 days (roughly 13 months). Let's Encrypt certificates are valid for 90 days and are designed to auto-renew every 60 days.
What happens when an SSL certificate expires?
Browsers display a full-page 'Your connection is not private' warning (ERR_CERT_DATE_INVALID). HTTPS connections are refused. The site remains accessible via HTTP but search engines will flag it. API clients and webhooks that enforce certificate validation will also fail.
How do I monitor SSL certificate expiry?
ConfigClarity's SSL Checker checks multiple domains at once and flags anything expiring within 200 days with exact days remaining. For automated monitoring, set a cron job running openssl s_client -connect domain.com:443 and parsing the notAfter field.