SSL Certificate Expired or Invalid — How to Fix It

An expired SSL certificate completely blocks visitors — 84% of users will abandon a purchase when they see a browser security warning (SSL.com, 2024). In the Keyfactor 2024 PKI Report, 45% of enterprises experienced downtime from certificate issues, with the average outage costing over $1.1M. Even Google's own Bazel project went down in December 2025 when a cert expired. This is one of the few issues that stops 100% of traffic until fixed.

Start here

Before You Fix It: What This Check Means

SSL/TLS certificates are the browser trust anchor for your domain. In plain terms, this tells you whether visitors are protected by the security setup you intend to run in production. Scavo validates two layers.

Why this matters in practice: weak settings here can increase breach risk and incident blast radius before teams notice.

How to use this result: treat this as directional evidence, not final truth. A crawl snapshot cannot prove every route, subdomain, or transient edge rule is consistently configured. First, confirm the issue in live output: inspect live response headers and certificate state on the exact production host Then ship one controlled change: Enforce HTTPS across all canonical hosts. Finally, re-scan the same URL to confirm the result improves.

Background sources

TL;DR: Your SSL certificate is missing, expired, or misconfigured. Browsers will show a full-page security warning that blocks visitors from reaching your site.

An expired SSL certificate completely blocks visitors — 84% of users will abandon a purchase when they see a browser security warning (SSL.com, 2024). In the Keyfactor 2024 PKI Report, 45% of enterprises experienced downtime from certificate issues, with the average outage costing over $1.1M. Even Google's own Bazel project went down in December 2025 when a cert expired. This is one of the few issues that stops 100% of traffic until fixed.

What Scavo checks (plain English)

Scavo validates two layers:

  1. Protocol layer: is the scanned URL actually HTTPS?
  2. Certificate layer: if certificate details are available, is expiry healthy?

Expiry thresholds in this check:

  • Fail: certificate already expired (days_until_expiry < 0)
  • Fail: expires in <= 7 days
  • Warning: expires in <= 30 days
  • Pass: valid with healthy remaining lifetime

Special behavior:

  • If HTTPS works but certificate detail probe is unavailable, Scavo still returns Pass with limited depth.

How Scavo scores this check

Scavo assigns one result state for this check on the tested page:

  • Pass: baseline signals for this check were found.
  • Warning: partial coverage or risk signals were found and should be reviewed.
  • Fail: required signals were missing or risky behavior was confirmed.
  • Info: Scavo could not gather enough reliable evidence on this run to score pass/fail confidently.

In your scan report, this appears under What failed / What needs attention / What is working for ssl_certificate, followed by Recommended next steps and Technical evidence (for developers) when needed.

  • Scan key: ssl_certificate
  • Category: SECURITY

Why fixing this matters

Broken or expiring certificates cause browser warnings, conversion drops, API failures, and trust damage. For B2B buyers, certificate errors are immediate red flags.

Certificate hygiene is also operational reliability. Teams need renewal ownership, alerts, and backup processes so expiration is never a surprise incident.

Common reasons this check flags

  • Domain not fully migrated to HTTPS.
  • Auto-renew failed due DNS/CAA/account issues.
  • Certificate installed on some hosts but not all edge endpoints.
  • Renewal happened but old cert still served by one environment.

If you are not technical

  1. Ensure there is one named owner for certificate lifecycle.
  2. Require renewal reminders in more than one system.
  3. Confirm all public hostnames are covered by valid certs.
  4. Re-run Scavo and verify expiry risk is cleared.

Technical handoff message

Copy and share this with your developer.

Scavo flagged SSL Certificate (ssl_certificate). Please ensure HTTPS is enforced, validate active certificate chain and expiry window, and confirm all production hostnames/edges serve the renewed certificate.

If you are technical

  1. Enforce HTTPS across all canonical hosts.
  2. Verify certificate chain and SAN coverage for all active domains.
  3. Confirm auto-renew jobs and challenge methods are stable.
  4. Add renewal alerting at 30/14/7-day windows.
  5. Validate certificate deployment across CDN/load balancer/origin.

How to verify

  • curl -Iv https://your-domain to inspect certificate details.
  • Confirm expiry date and issuer align with expected certificate.
  • Check alternate hostnames/subdomains in scope.
  • Re-run Scavo and confirm no expiry warning/fail state.

What this scan cannot confirm

  • It does not validate full certificate transparency monitoring.
  • It does not test every subdomain unless scanned.
  • It does not replace full TLS configuration audits (cipher suites, protocol versions, etc.).

Owner checklist

  • [ ] Assign certificate lifecycle owner.
  • [ ] Keep auto-renew and fallback renewal documented.
  • [ ] Alert on upcoming expiry with multiple channels.
  • [ ] Re-check after CDN, DNS, or host certificate rotation.

FAQ

Why can SSL pass without issuer/expiry details?

If HTTPS is confirmed but deep certificate detail probe is unavailable, this check still passes transport baseline with reduced depth.

Is 30 days still safe?

It may still work, but this check warns to prevent last-minute outages.

Should we monitor only the main domain?

No. Monitor all public hostnames users can reach.

What should we fix first?

If not HTTPS: migrate immediately. If expiring: renew and confirm edge rollout everywhere.

Sources

Need an SSL renewal runbook your team can execute under pressure? Send support your current CA/CDN setup.

Related Guides

More checks in this area

Security cookie_security_flags

Unsafe Cookie Flags — Session Cookies Too Easy to Steal or Replay

Learn how Scavo checks live Set-Cookie headers for Secure, HttpOnly, SameSite, and prefix-rule mistakes so session and auth cookies are not left too loose.

Open guide
Security security_headers

Weak Security Headers — Missing or Misconfigured Browser Protections

Learn how Scavo checks critical browser security headers, including weak or invalid values, so your live responses are not giving a false sense of protection.

Open guide
Security content_security_policy

Content Security Policy (CSP) Missing or Too Permissive

XSS accounts for approximately 20% of reported web vulnerabilities across all industries (OWASP, 2024). A strong CSP is your primary defence — yet only 21.9% of sites have adopted CSP (HTTP Archive, 2025), and 91% of those still include unsafe-inline, making the policy ineffective. Without CSP, a single compromised third-party script or input field can steal user data, inject malware, or deface your site.

Open guide

Raccoon Cookie Checkpoint

Can we use optional cookies?

Essentials always stay on. Optional cookies help with preferences, analytics, and smarter prompts.

Current setting: Decision needed