What this error means
certificate has expired means name resolution, origin connectivity, or TLS certificate validation failed before the application request could complete.
Common causes
- Server certificate expired
- Intermediate certificate expired
- Certificate automation failed
- Client system clock is incorrect
Copy-paste commands
Query DNS records
dig example.com A
dig example.com CNAME
Check HTTP response headers
curl -I https://example.com
Inspect TLS certificate chain
openssl s_client -connect example.com:443 -servername example.com </dev/null
Flush macOS DNS cache
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
Quick fixes
- Check the exact hostname, not just the apex domain.
- Renew and deploy the certificate, then verify the full chain and server time.
- Compare direct origin behavior with proxied/CDN behavior when possible.
- Retry after DNS TTL or certificate deployment has had time to propagate.
Step-by-step troubleshooting
- Confirm the browser, client, or log reports
certificate has expiredfor the same hostname. - Use
digto verify the authoritative DNS answer. - Use
curl -Ito check whether the hostname reaches the expected service. - Use
openssl s_clientto inspect certificate hostname, issuer, and expiry. - If a CDN is involved, compare proxied and direct-origin behavior.
Platform-specific fixes
macOS
- Use
dscacheutilto clear local DNS cache after changing records.
Linux
- Use
digorresolvectl queryto compare resolver answers.
Windows
- Use
ipconfig /flushdnsafter DNS changes, then retest the exact hostname.
Real-world fixes
- If Cloudflare is enabled, test whether the origin responds when accessed directly.
- If only one network fails, compare DNS resolver answers before changing server config.
- Renew and deploy the certificate, then verify the full chain and server time.
How to prevent it
- Track DNS changes with owner, TTL, and expected target.
- Monitor certificate expiry before renewal windows close.
- Keep CDN SSL mode and origin certificate configuration documented.