Contents
6 sections · 6 min read
SSL certificate renewal calendar showing expiry date and renewal process diagram
Domain Security

How to Renew an SSL Certificate: Manual, Auto, and What to Do When It Expires

A
Domain 360 Team
·June 24, 2026·6 min read

SSL certificate renewal causes more unexpected downtime than almost any other routine maintenance task. Not because it is technically complex, but because it falls between who is responsible — is it the host, the developer, or the domain owner? And when auto-renewal fails silently, the first sign is a visitor screenshot of a security warning.

Here is how to handle renewal for every common setup.

Checking When Your Certificate Expires

Before worrying about renewal, know your current expiry date.

In a browser: Click the padlock icon in the address bar, Certificate or Connection is secure, View certificate. The "Not valid after" date is your expiry.

On Mac or Linux: echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

Online: SSL Shopper's SSL Checker (sslshopper.com/ssl-checker.html) is the most convenient — enter your domain and it shows expiry, issuer, and any chain issues.

Set a calendar reminder 45 days before expiry as your early warning.

Let's Encrypt: Auto-Renewal via Certbot

If you installed Let's Encrypt via Certbot on a VPS, Certbot should have installed a cron job or systemd timer that automatically runs renewal checks twice daily.

Test that auto-renewal is set up: sudo certbot renew --dry-run

If this runs without errors, auto-renewal is working. You should not need to do anything manually.

When auto-renewal fails: The most common cause is a changed DNS configuration — if you moved your domain to Cloudflare and are now proxying through Cloudflare (orange cloud), the http-01 challenge Certbot uses by default cannot complete because Cloudflare terminates the connection. Switch to DNS validation or use a Cloudflare Origin Certificate instead.

To manually renew immediately: sudo certbot renew --force-renewal

Hosting Control Panel (cPanel, Plesk, DirectAdmin)

If your host manages SSL through the control panel, renewal is usually automatic. Check the SSL/TLS section of your control panel for expiry dates and renewal status.

If a certificate is not renewing: check that your domain resolves correctly (an expired domain stops auto-renewal), that the hosting account is active, and that there are no billing issues.

Commercial SSL certificate providers (DigiCert, Comodo, Sectigo, GoDaddy) send renewal notices by email 90, 60, and 30 days before expiry. The renewal process:

  1. Log in to your certificate provider account.
  2. Initiate renewal for the expiring certificate.
  3. Generate a new CSR (Certificate Signing Request) from your server.
  4. Submit the CSR to the provider.
  5. Complete domain validation (for DV certificates, add a file or DNS record).
  6. Receive the new certificate files.
  7. Install the new certificate on your server.
  8. Verify the certificate is live using the SSL checker.

Allow a full day for the process in case validation takes time.

Emergency: Certificate Already Expired

If your certificate has already expired and visitors are seeing warnings, the priority is restoration speed.

The fastest route: if you are on managed hosting, log in to the control panel and look for a one-click renewal option. Many hosts can re-issue within minutes.

If you are on a VPS with Certbot: sudo certbot renew --force-renewal will issue a new certificate immediately.

If you are using Cloudflare as a proxy: temporarily set SSL mode to Flexible while you sort out the origin certificate — this restores the secure padlock for visitors (though origin connection is not encrypted). Then fix the origin certificate properly.

The Root Cause of Most SSL Failures

SSL renewal failures almost always trace back to one of three causes: changed DNS configuration that breaks validation, an expired domain that makes the certificate irrelevant, or a hosting account issue that stops automated processes.

The domain expiry case is the sneakiest — an expired domain does not produce an expired certificate message, it produces DNS failures that make the site look like it is down with network errors. If SSL errors appear alongside DNS errors, check the domain expiry first before touching any certificate configuration.

Never lose a domain again

Track every domain you own in one dashboard. Free for up to 15 domains.