Defaults.Exposed › Reports
My SSL Certificate Expired — Why It Happens and How to Fix It (2026)
Published 2026-07-01
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. A certificate is “invalid” when it’s expired, self-signed, or issued for a different name — anything that makes the browser distrust it. See how we grade.
A certificate error means the browser can’t trust the padlock — so it warns the visitor before your page loads. It’s more common than you’d think: of the 197 million domains presenting a certificate, 8.21% — that’s 16,920,535 domains — serve one the browser rejects. The most frequent cause is the simplest: the certificate expired and renewal didn’t happen. Here’s why it fails and how to fix it for good.
Why certificates fail
Certificates are short-lived by design (often 90 days) and must be renewed automatically. When something breaks that cycle, visitors hit a warning. The common causes:
- Expired — renewal failed or was never automated. The single most common reason a site suddenly shows an error.
- Self-signed — a certificate the server issued to itself, which no browser trusts. Among invalid certificates, 20.0% are self-signed — typically a default left in place on a server or device.
- Name mismatch — the certificate is for a different hostname (e.g. covers
example.combut notwww.example.com). - Untrusted issuer or broken chain — an intermediate certificate is missing so the browser can’t build a path to a trusted root.
Only after a valid certificate is in place does the HTTPS padlock clear — and just 78.02% of all domains serve HTTPS at all.
What it costs while it’s broken
- Visitors leave. A full-page “your connection is not private” interstitial is scarier than the inline “Not secure” label — most people back out rather than click through. See why your website says “Not Secure”.
- Checkouts and logins stop. No one submits a password or card number past a certificate warning.
- APIs and integrations break. Machines are stricter than browsers — a bad certificate fails calls outright, often silently.
How to fix a certificate error
- Reissue the certificate — free from Let’s Encrypt; most hosts and CDNs issue and install one for you.
- Cover every hostname you use — include both the bare domain and
www(and any subdomains), or use a wildcard. - Install the full chain — serve the intermediate certificate, not just the leaf, so browsers can verify it.
- Automate renewal — this is the real fix. ACME clients (and most managed hosts) renew silently so you never expire again. See fix certificate errors.
- Redirect HTTP to HTTPS so no one lands on the unencrypted version. See fix HTTPS.
Frequently asked questions
Why did my SSL certificate expire? Certificates are deliberately short-lived and must auto-renew. When renewal fails — a broken cron job, a changed DNS record, a lapsed manual process — the certificate expires and the site shows a warning.
How do I fix an expired certificate? Reissue it (free via Let’s Encrypt or your host), install the full chain covering every hostname, and automate renewal so it can’t lapse again.
Is a self-signed certificate OK for a public site? No — browsers don’t trust it and will warn every visitor. 20.0% of invalid certificates are self-signed. Use a certificate from a trusted authority; it’s free.
Does an expired certificate hurt SEO? Yes indirectly — HTTPS is a ranking signal and the warning drives visitors away, raising bounce and losing conversions.
How much does fixing it cost? Nothing. TLS certificates are free and renewal is automatable. It’s a configuration fix, not a purchase.
Check your certificate free
See whether your certificate is valid, complete, and correctly chained — privately, and owner-only.
Check your domain → · Fix certificate errors → · “Your connection is not private” → · How we grade → · Aggregate data only. Data stored and processed in the EU.