WatchThe worst part of an expired certificate isn't the outage — it's the message your customers see. Instead of your homepage, they get a full-screen red warning that says “Your connection is not private” and “attackers might be trying to steal your information.” To a non-technical visitor, that doesn't read as “a date passed”; it reads as “this site has been hacked.” The good news is that the fix is usually fast, and once you've done it, the same thing never needs to catch you again.
What the error actually means
When you see “NET::ERR_CERT_DATE_INVALID” or “Your connection is not private,” it's worth knowing exactly what the browser is telling you, because it sounds far scarier than it is. The certificate that proves your site's identity has passed its expiry date, and the browser would rather block the page entirely than risk connecting to a site whose identity it can no longer vouch for.
Crucially, nothing has been hacked. No attacker is involved, no data has leaked. The certificate simply timed out, like a passport, and needs renewing. Understanding that lets you skip the panic and go straight to the fix — though it's also a reminder of why you want to renew before your visitors ever see that screen.
How to renew it fast
The exact steps depend on where your certificate lives, but the shape is always the same: issue a fresh certificate, then make the server actually use it. If you use Let's Encrypt, run your ACME client — certbot renew — and reload the web server. On a managed host or load balancer, reissue or re-upload the certificate through the control panel. On a CDN like Cloudflare, confirm the edge certificate is active and the origin certificate behind it is still valid.
Whatever the path, don't forget the second half: reload the server after renewing. A shiny new certificate sitting on disk does absolutely nothing until the running server picks it up, and “I renewed it but the site's still broken” is almost always a server that hasn't been reloaded.
Why it expired in the first place
Once the fire is out, it's worth asking how it started — because the answer tells you how to prevent the next one. Certificates are short-lived by design, often 90 days, and renewal is meant to be automatic. That automation is exactly what lulls teams into forgetting the certificate exists at all.
And automation fails quietly. A renewal cron job stopped after a server migration. An ACME challenge broke because a firewall rule or DNS record changed. Or — most common of all — the certificate lived somewhere the automation never covered in the first place: a mail server, a load balancer, an internal admin tool that someone set up by hand and never wired into the renewal process.
How to never get caught again with WatchControl
The real fix isn't this renewal; it's making sure you never discover the next expiry from a customer's screenshot. Don't rely on anyone remembering a date — certificates outlive memories and the people who set them up. Instead, monitor every TLS endpoint for both days-remaining and current validity, and set a warning window of around 14 days so you're told while there's still calm time to act.
This is exactly what WatchControl does. It checks your certificates and warns you days before expiry by email, SMS or webhook, in stages if you like — 30, 14 and 7 days — so a missed renewal escalates instead of slipping through. Point it at your mail and internal services too, not just your main website, since those are the ones that catch people out. It runs from the EU on a free plan, turning the most avoidable outage there is into a non-event.