How long are modern certs valid?

Most Let's Encrypt and managed certs are 90 days. Commercial certs up to 13 months. Shorter is better — auto-renewal is the only sane way.

High severity

How to fix an expired or expiring SSL certificate

Your SSL certificate is expired or expires within 30 days. Expired certs make your site unreachable in every major browser — users see a full-screen security warning they cannot dismiss on many browsers. The fix depends on your host. Managed platforms (Vercel, Cloudflare, Netlify) renew automatically and this should not happen — if it does, the auto-renewal broke (usually a DNS misconfiguration). Self-hosted Let's Encrypt certs renew via certbot.

Why it matters

An expired cert is the single most visible outage your users will see. Conversion to zero. SEO takes a hit. Monitoring that catches this before expiry is essential.

How to check

01In any browser, click the padlock → Certificate → Valid until.
02Or run: `echo | openssl s_client -servername your-domain.com -connect your-domain.com:443 2>/dev/null | openssl x509 -noout -dates`

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Vercel

Vercel auto-renews. If a cert expired, check: (1) domain still points to Vercel (DNS CAA records, CNAME); (2) domain is still added in Vercel dashboard. Remove and re-add the domain to trigger reissuance.

Cloudflare

Dashboard → SSL/TLS → Edge Certificates. Cloudflare Universal SSL covers most cases. If expired, check the DNS CAA record and that the domain is not paused.

Let's Encrypt / certbot

Run `certbot renew` manually, then set up a cron job.

0 3 * * * certbot renew --quiet && systemctl reload nginx

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My SSL certificate is expired. Tell me what host I'm on (check DNS CNAME or A records for signatures like *.vercel-dns.com, *.cloudflare.com, *.netlify.app). Walk me through the specific renewal steps for that host. Then set up monitoring so I get an alert 14 days before expiry next time — use Better Stack, Uptime Kuma, or similar.

FAQ

Frequently asked questions

How long are modern certs valid?: Most Let's Encrypt and managed certs are 90 days. Commercial certs up to 13 months. Shorter is better — auto-renewal is the only sane way.

Related fix guides

Fix these too

Weak SSL cipher

TLS 1.0, TLS 1.1, or weak ciphers like RC4 or 3DES are vulnerable. Here is how to force modern TLS on Vercel, Cloudflare, and self-hosted servers.

Mixed content warnings

Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Learn the concepts

Glossary

SSL / TLS

The encryption protocols that power HTTPS. TLS 1.2 and 1.3 are current; older versions are deprecated.

Free tools

Check this yourself

SSL checker

Certificate validity, TLS version, and cipher strength — in 10 seconds.

Platform guides

Building on these platforms?

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.