SSL Certificate Expired

1. Log into dash.cloudflare.com and select your domain.
2. Go to SSL/TLS → Edge Certificates.
3. If your Universal SSL says Expired or Pending Validation, click "Disable Universal SSL" and immediately re-enable it — this re-issues a fresh Let's Encrypt cert.
4. Set Encryption Mode to Full (Strict) under SSL/TLS → Overview if your origin has its own cert, otherwise Flexible (least secure, only as a temporary fix).
5. Universal SSL renews automatically forever — you should never see this expire again on a Cloudflare-fronted domain.

1. Log into account.godaddy.com → My Products → SSL Certificates.
2. Find the expired cert and click Manage.
3. Click Renew — you'll be prompted to pay the renewal fee (typically $69-$99/year for a Standard SSL).
4. After payment, GoDaddy issues a new cert. You'll need to verify domain ownership again (usually a DNS TXT record they create automatically if your DNS is also at GoDaddy).
5. Once issued (5-30 min), click Install Certificate. If your hosting is GoDaddy too, install is one click. If you host elsewhere, download the .crt and intermediate .ca-bundle files and install them via your host's SSL panel.
6. Turn on auto-renewal under the cert's Renew Settings tab.

1. Open AWS Certificate Manager (ACM) in the same region as your CloudFront distribution (must be us-east-1 for CloudFront).
2. If your existing cert is expired: request a new public certificate, validate via DNS (ACM will create the validation CNAME for you if your domain is in Route 53).
3. After validation issues the cert, edit your CloudFront distribution → General → Custom SSL Certificate, and select the new cert.
4. ACM-issued certs auto-renew indefinitely as long as the validation CNAMEs stay in DNS — leave them in place.
5. If you're using Application Load Balancer instead of CloudFront, update the listener under EC2 → Load Balancers → Listeners → HTTPS:443 → Default SSL/TLS certificate.

1. Log into namecheap.com → Account Dashboard → SSL Certificates.
2. Click Manage on the expired cert and choose Renew.
3. Pay the renewal fee. After payment, you'll need to re-issue the cert: choose CSR generation (Namecheap can generate one for you if you provide your hosting details, or you can paste your own from cPanel/host).
4. Validate via HTTP, DNS, or Email. HTTP validation is fastest (Namecheap places a file on your server automatically if your hosting is also Namecheap).
5. Once issued, install via your host. If your host is Namecheap (Stellar/Stellar Plus), they auto-install. If elsewhere, download the .crt and install through cPanel/Plesk/host SSL panel.

1. Log into your cPanel and search for AutoSSL or SSL/TLS Status.
2. If AutoSSL is enabled, click Run AutoSSL — it will detect the expired cert and request a fresh free Let's Encrypt cert within minutes.
3. If AutoSSL isn't available, go to SSL/TLS → Manage SSL Sites → Browse Certificates and check what's installed.
4. Generate or upload a new cert: SSL/TLS → Generate, view, upload, or delete SSL certificates. For a free cert, use Let's Encrypt via the AutoSSL or Let's Encrypt SSL plugin (most cPanel hosts pre-install one).
5. Install the new cert on your domain via SSL/TLS → Install and Manage SSL.
6. Tell your host to enable AutoSSL going forward — most do this by default but it's worth confirming.

1. Modern static hosts handle SSL automatically via Let's Encrypt with infinite auto-renewal — if you're seeing an expired SSL on one of these, it's almost always a DNS issue, not a cert issue.
2. Check your DNS: if the apex (root) record is set to ALIAS/ANAME pointing to the host, and your DNS provider stopped serving the record correctly, the cert verification breaks.
3. Fix: confirm the DNS A/AAAA/CNAME records at your DNS provider match what the host shows in their dashboard (Vercel → Settings → Domains, Netlify → Domain settings).
4. Once DNS is correct, the host re-issues the cert automatically within minutes. No manual cert work needed.
5. If the host's UI shows the cert as expired and DNS is correct, contact support — these platforms don't allow user cert management, so it's on them.

1. Shopify-hosted SSL certs are managed by Shopify and auto-renew. If you're seeing expired SSL on a Shopify-myshopify.com URL: contact Shopify support.
2. If you've connected a custom domain (e.g. yourstore.com) and it shows expired: go to Settings → Domains → click your domain → Manage. There should be an option to verify or re-issue SSL.
3. Common cause: third-party DNS (Cloudflare in front of Shopify) breaking cert validation. Solution: turn Cloudflare proxy off (gray cloud, DNS only) for your apex and www records, wait 24h for Shopify to re-issue, then re-enable proxy if needed.

The most obvious signs: visitors get a full-page browser warning ("Your connection is not private" in Chrome, "Warning: Potential Security Risk Ahead" in Firefox), the URL bar shows a red lock icon or "Not Secure" text, and tools like ssllabs.com/ssltest will report the cert as expired with the exact expiration date. You can also click the lock icon in your browser → Connection is not secure → Certificate, which shows the expiry date directly.

Usually 5-30 minutes from start to finish. The actual cert issuance is fast (Let's Encrypt issues in seconds, paid certs in 10-30 min). The slowest part is DNS or CDN propagation, which can take up to 1 hour but is usually under 15 minutes.

If your host offers free Let's Encrypt SSL (Cloudflare, Vercel, Netlify, most cPanel hosts), you can fix it yourself with one or two clicks. If you bought a paid cert from a third party (DigiCert, Sectigo, GoDaddy SSL) and need to install it manually on a separate host, that's typically a 30-60 minute developer task.

Yes, but not instantly. Google needs to recrawl your site after the fix is live. Typical recovery: 1-3 days for Google to recognize the cert is valid again, 1-2 weeks for rankings to fully return to where they were. Submit a re-index request via Google Search Console to speed it up.

For a typical small business website, none that matters. Both provide the same encryption strength and the same green padlock. Paid SSL adds: extended warranty (often $10k-$1M), Extended Validation (the green company name in the URL bar — though most browsers stopped showing this), and more enterprise-friendly support. For 99% of sites, free Let's Encrypt is identical to a $99/year cert in every way that visitors notice.

Either auto-renewal isn't enabled, or it's enabled but failing silently due to a misconfiguration (DNS changed, DNS validation record removed, web server can't serve the validation challenge file). Check your host's auto-renewal logs. If you see repeated failures, the most common fixes are: confirm DNS is at the same provider as your host, ensure the .well-known/acme-challenge URL on your site is publicly accessible, and check that your firewall isn't blocking Let's Encrypt's validation IPs.

It's Chrome's specific error code for an expired SSL certificate (or one that hasn't started being valid yet — wrong system clock can cause this too). The fix is identical to any expired SSL: renew the cert. If you're seeing this on only your computer and not other devices, check your system clock first.