CERT_HAS_EXPIRED
The certificate the server presented is past its notAfter date — its validity period has ended, so clients refuse to trust it.
Common causes
- The certificate simply reached its expiry date and wasn’t renewed in time.
- Automated renewal (e.g. certbot or cert-manager) failed silently days or weeks earlier.
- A renewed certificate was issued but never deployed/reloaded on the server.
- The client’s own system clock is wrong, making a valid cert look expired.
How to fix it
- 1
Confirm the served certificate’s dates from the live endpoint:
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \ | openssl x509 -noout -dates - 2
Renew the certificate. With certbot:
sudo certbot renew --force-renewal - 3
Reload the web server so it picks up the new certificate (e.g.
sudo systemctl reload nginx). - 4
Set up monitoring so you’re alerted weeks before the next expiry instead of finding out from users.
Catch these before your users do
SSLNudge detects CERT_HAS_EXPIRED and expiry issues daily and alerts you.