SSL/TLS / SSL/TLS

SSL certificate has expired

Fix SSL certificate has expired errors by renewing certificates and checking intermediate certificate chains.

Partial source Last updated May 10, 2026 1 source Needs local verification

Category: SSL/TLS
Error signature: certificate has expired
Quick fix: Renew and deploy the certificate, then verify the full chain and server time.
Updated: May 10, 2026
Verification status: Partial source
Evidence: 1 public source URL

Before you change production

This page includes public URLs, but the Markdown record does not consistently mark them under Sources checked. Treat the links as supporting context rather than complete verification.

Reproduce the smallest failing action and save non-secret logs before changing configuration.
Check versions for SSL/TLS, related SDKs, package managers, CI runners, and hosting providers.
Change one setting or dependency at a time, then rerun the same failing command or request.
Avoid destructive commands, credential rotation, billing changes, or security relaxations without a rollback plan.

What this error means

certificate has expired means name resolution, origin connectivity, or TLS certificate validation failed before the application request could complete.

Common causes

Server certificate expired
Intermediate certificate expired
Certificate automation failed
Client system clock is incorrect

Copy-paste commands

Query DNS records

dig example.com A

dig example.com CNAME

Check HTTP response headers

curl -I https://example.com

Inspect TLS certificate chain

openssl s_client -connect example.com:443 -servername example.com </dev/null

Flush macOS DNS cache

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

Quick fixes

Check the exact hostname, not just the apex domain.
Renew and deploy the certificate, then verify the full chain and server time.
Compare direct origin behavior with proxied/CDN behavior when possible.
Retry after DNS TTL or certificate deployment has had time to propagate.

Step-by-step troubleshooting

Confirm the browser, client, or log reports certificate has expired for the same hostname.
Use dig to verify the authoritative DNS answer.
Use curl -I to check whether the hostname reaches the expected service.
Use openssl s_client to inspect certificate hostname, issuer, and expiry.
If a CDN is involved, compare proxied and direct-origin behavior.

Platform-specific fixes

macOS

Use dscacheutil to clear local DNS cache after changing records.

Linux

Use dig or resolvectl query to compare resolver answers.

Windows

Use ipconfig /flushdns after DNS changes, then retest the exact hostname.

Real-world fixes

If Cloudflare is enabled, test whether the origin responds when accessed directly.
If only one network fails, compare DNS resolver answers before changing server config.
Renew and deploy the certificate, then verify the full chain and server time.

How to prevent it

Track DNS changes with owner, TTL, and expected target.
Monitor certificate expiry before renewal windows close.
Keep CDN SSL mode and origin certificate configuration documented.

Diagnostic flow for this page

Match certificate has expired exactly before applying the quick fix.
Compare the failing environment with SSL/TLS versions, account scope, provider settings, and deployment context.
Check the listed common causes in order, starting with the cause that best matches your logs.
Use the evidence status below to decide whether to confirm against public sources or official documentation.
Apply one reversible change, rerun the smallest failing action, and keep rollback notes.

FAQ

What does certificate has expired mean in SSL/TLS?

certificate has expired indicates the workflow described by "SSL certificate has expired" failed in a SSL/TLS context. Start by confirming the exact signature and the component that emitted it.

What should I check first for certificate has expired?

Check whether this cause matches your environment: Server certificate expired

Is the certificate has expired guidance source-backed?

The "SSL certificate has expired" page is labeled partial source. It has 1 public source URL from example.com, so use that evidence status when deciding how much additional verification you need.

When should I avoid the quick fix for certificate has expired?

For "SSL certificate has expired", avoid applying "Renew and deploy the certificate, then verify the full chain and server time." when the error text differs, the affected version or provider is different, or the change would touch credentials, billing, DNS, production deploy settings, or irreversible data.

What should I collect before debugging certificate has expired?

For "SSL certificate has expired", collect the failing SSL/TLS command or request, non-secret configuration, versions, timestamps, request IDs when available, and the smallest reproduction that still triggers the signature.