First confirm whether the outage is certificate-related
Common symptoms of an expired certificate
An expired SSL certificate is not just a browser warning. For services that depend on HTTPS, it can stop the TLS handshake before any HTTP request is processed, breaking browsers, API clients, automated callbacks, and background jobs at the same time.
- Browsers show an unsafe connection warning and users cannot continue normally.
- Mobile apps, webhooks, payment callbacks, or third-party API calls suddenly fail.
- A load balancer, CDN, gateway, or one backend node still serves the old certificate after the origin was renewed.
- Older clients report certificate chain errors while modern browsers look fine.
Why an expired certificate can take traffic down
Before an HTTPS connection is established, the client validates whether the certificate is still within its validity period, whether it matches the requested hostname, and whether the certificate chain is trusted. If any key condition fails, the client usually rejects the connection. In a browser this appears as a security interstitial. In service-to-service traffic it appears as failed requests, retries, or callback timeouts.
Deployment paths make this harder. A certificate may have been renewed on one machine, while a CDN, load balancer, Ingress, or another server still serves the old file. Checking a local certificate timestamp on one server does not prove every public entry point has been updated.
Real incident: the Let's Encrypt root certificate expiry
On September 30, 2021, the DST Root CA X3 cross-signed root certificate used by Let's Encrypt expired. Let's Encrypt already had an independent trust chain through ISRG Root X1, but many older Android devices before 7.1.1, OpenSSL 1.0.x clients, and devices with stale firmware still trusted only the old root. Millions of devices suddenly could not access sites using Let's Encrypt certificates, even when the site certificate itself had not expired.
The lesson is that certificate expiry is broader than one leaf certificate passing its notAfter date. Any expired or changed link in the trust chain can break part of your client base, and the affected population is often hard to predict.
Check the live certificate with openssl
Start from the real public entry point, not a local certificate file. This command connects to port 443 and uses SNI to request the certificate for the hostname you want to inspect. Replace example.com with your domain:
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null \
| openssl x509 -noout -subject -issuer -datesA healthy output includes the subject, issuer, and validity window:
subject=CN = example.com
issuer=C = US, O = Let's Encrypt, CN = R11
notBefore=Mar 15 00:00:00 2026 GMT
notAfter=Jun 13 00:00:00 2026 GMTThe key field is notAfter. If that time has already passed, or if only a few days remain, renew and deploy the certificate immediately. This is what an expired certificate can look like:
subject=CN = example.com
issuer=C = US, O = Let's Encrypt, CN = R11
notBefore=Jan 1 00:00:00 2026 GMT
notAfter=Apr 1 00:00:00 2026 GMT expiredIf you need the full certificate chain and TLS handshake details, remove the pipe and inspect the raw s_client output:
openssl s_client -connect example.com:443 -servername example.com </dev/nullLook for the Certificate chain section and confirm that the chain from the server certificate to the root is complete. Each level should verify cleanly.
Use curl to confirm whether HTTPS works
curl is useful because it follows the same path a client uses. It can expose DNS, TCP, TLS handshake, and HTTP response failures in one command:
curl -vI https://example.comIn a healthy case, the TLS handshake output includes certificate details and a successful verification result:
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=example.com
* start date: Mar 15 00:00:00 2026 GMT
* expire date: Jun 13 00:00:00 2026 GMT
* issuer: C=US; O=Let's Encrypt; CN=R11
* SSL certificate verify ok.
> HEAD / HTTP/2
< HTTP/2 200If the certificate has expired, curl stops the connection:
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* SSL certificate problem: certificate has expired
* closing connection
curl: (60) SSL certificate problem: certificate has expiredErrors such as certificate has expired, SSL certificate problem, or unable to get local issuer certificate point to the certificate validation stage. Do not use -k to hide the error. It only proves the server can return content; it does not prove users can connect safely.
Fields worth monitoring continuously
Manual checks help diagnose one incident, but they do not cover every domain and entry point over time. These are the fields worth monitoring continuously, along with the failure modes they catch in real operations.
Expiration date
Do not only count the days left. Check whether renewal and deployment still have enough operational time.
Typical scenario: The certificate was renewed at the CA, but an automatic deployment script silently failed after a permission change. One of three servers still serves the old certificate. Monitoring says renewal succeeded, but users randomly hit the stale node and see an expired certificate.
Issuer
Confirm the live certificate comes from the expected CA, so an old certificate or the wrong environment certificate is not deployed by mistake.
Typical scenario: A team migrates from a paid CA to Let's Encrypt, but one server still runs a cron job that pulls the old CA certificate. The domain keeps switching between two issuers, which makes the actual broken entry point hard to identify.
SAN
Verify that the certificate covers the current hostname, especially with many subdomains or wildcard certificates.
Typical scenario: A new api-v2.example.com hostname goes live, but the renewal job did not update the SAN list. The main domain and older subdomains are fine, while the new API starts failing with a hostname mismatch.
Certificate chain
Check that intermediate certificates are complete so clients can build a trusted chain.
Typical scenario: Modern browsers may fetch missing intermediates through AIA, but server-to-server mTLS calls, curl scripts, and some IoT devices do not. They fail with unable to get local issuer certificate.
TLS handshake status
Separate DNS failures, unreachable port 443, TLS handshake failures, and certificate validation errors.
Typical scenario: After a DNS migration, the hostname points to an old IP and the TLS handshake returns an unrelated certificate from an old server. If you only check the expiry date, it may look valid while users see a certificate mismatch warning.
CertFlow can monitor these fields automatically on the free plan. Add a domain and CertFlow will fetch and track the live certificate state.Sign up for free →
Multiple domains cannot rely on calendar reminders
A single site can sometimes survive with a calendar reminder and manual commands. Once you have more domains, subdomains, deployment targets, CDNs, and load balancers, risk comes from many directions: one entry point missed deployment, one chain is incomplete, one environment still points to an old certificate, or one third-party callback endpoint has not been visited in months.
Certificate monitoring does not replace debugging commands. It catches silent drift before users notice it. Commands are good for diagnosing a known issue. Monitoring is how you keep that issue from quietly recurring.
Cover the basic risk with CertFlow free monitoring
The CertFlow free plan includes 3 domains, 5 deployment targets, and 5 certificate monitors. It is enough for individual developers and small teams to cover their most important certificate status checks.
Add the domain to monitor
Enter the domain in the dashboard. CertFlow connects through public TLS to read the current certificate. You do not need to install an agent or provide any server secrets.
Review certificate health status
Expiration date, issuer, SAN list, certificate chain completeness, and TLS handshake status are updated continuously. Abnormal states are highlighted in the dashboard.
Configure expiry alerts
Set alert windows and notification channels so you have enough time to renew and deploy before a certificate expires.