Skip to main content
ToolsRunbooksBlogDocs

rawops.dev

P1

SSL Certificate Expired — Emergency Renewal Checklist

Renew an expired or expiring SSL/TLS certificate. Covers Let's Encrypt/certbot renewal, manual certificate replacement, web server reload, and auto-renewal setup.

10 min7 steps
ssltlscertificatewebemergency
Progress: 0/7 steps
0%

Verify when the current certificate expires.

echo | openssl s_client -servername YOUR_DOMAIN -connect YOUR_DOMAIN:443 2>/dev/null | openssl x509 -noout -dates
Expected: Shows 'notBefore' and 'notAfter' dates. If notAfter is in the past, the cert is expired.

List all managed certificates and their status.

certbot certificates 2>/dev/null || ls -la /etc/letsencrypt/live/
Expected: Shows certificate paths, domains, and expiry dates for each managed cert.

Run certbot renew to attempt automatic certificate renewal.

certbot renew --dry-run && certbot renew
Expected: First command tests renewal without making changes. Second actually renews. Should show 'Congratulations' on success.
If using Nginx, certbot may need to temporarily stop it. Use --webroot or --nginx plugin to avoid downtime.

If automatic renewal fails, force a new certificate.

certbot certonly --force-renewal -d YOUR_DOMAIN --nginx
# OR with standalone:
certbot certonly --force-renewal -d YOUR_DOMAIN --standalone --preferred-challenges http
Expected: New certificate issued. Output shows certificate path and expiry date.
If using --standalone, Nginx must be stopped first (port 80 must be free).

Apply the new certificate by reloading the web server.

nginx -t && systemctl reload nginx
# OR for Caddy:
caddy reload --config /etc/caddy/Caddyfile
Expected: Web server reloads without errors. New certificate is now active.

Confirm the certificate is valid and not expired.

echo | openssl s_client -servername YOUR_DOMAIN -connect YOUR_DOMAIN:443 2>/dev/null | openssl x509 -noout -dates -subject
Expected: notAfter should be ~90 days in the future for Let's Encrypt certificates.

Ensure automatic renewal is configured to prevent future expirations.

systemctl enable certbot.timer && systemctl start certbot.timer && systemctl list-timers certbot*
Expected: Timer should be active and scheduled. Certbot will auto-renew before expiry.