Certificate expired error

A certificate-expired error fires when a TLS cert's Not After date is in the past relative to the client's clock. Browser-specific names: NET::ERR_CERT_DATE_INVALID (Chrome/Edge), SEC_ERROR_EXPIRED_CERTIFICATE (Firefox), "This Connection Is Not Private" (Safari).

Why expiration exists

Every TLS cert has a hard validity window. The window exists because certs that get compromised need to eventually stop being valid even if revocation lookups fail. The shorter the window, the smaller the blast radius of a stolen private key.

Industry trajectory:

• Pre-2015: typically 36 months.
• 2018: dropped to 27 months.
• 2020: dropped to 13 months.
• 2024: most public CAs at 1 year.
• 2025+: Apple, Chrome pushing toward 47 days.

So this error is going to get more common, not less. Long-lived certs are dying.

The diagnostic

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -dates

Output looks like:

notBefore=Jan  1 00:00:00 2026 GMT
notAfter=Feb 14 00:00:00 2026 GMT

If notAfter is past today, that's your bug. (Confusingly, this can also fire when the client's clock is wrong, mostly on phones that have lost their time sync. Check the user's device clock if everyone else's connection works.)

The fix is automation, not calendaring

Hand-renewal is the recipe for outages. Either:

• Use ACME (Let's Encrypt, ZeroSSL, etc.) with automated renewal at ~30 days before expiry.
• Use a custom-domain platform that monitors and renews on your behalf.
• For paid certs, set the renewal date as a hard calendar event with a 2-week warning, plus an automated TLS monitor (Better Stack, UptimeRobot, Datadog) that alerts at 14, 7, 1 day before expiry.

The most common cause of certificate-expired errors at SaaS companies isn't "we forgot to renew." It's "the renewal cron job has been failing silently for 4 months and nobody noticed until the cert actually expired." Monitor the cert, not the renewal job.