The certificate_expired alert (TLS alert code 45) is sent when a certificate's notAfter date has passed, meaning it is no longer within its validity period. This is the TLS protocol-level alert equivalent of the browser's ERR_CERT_DATE_INVALID (specifically for expiration). The peer receiving the expired certificate sends this alert and terminates the connection. In server-to-server communications (API calls, microservices, webhook deliveries), this alert is very common because automated systems do not have a user who can click through a warning — they simply fail. Certificate expiration is the single most common cause of unexpected TLS failures in production systems.
Let's Encrypt certificates expire every 90 days. If the renewal cron job, certbot timer, or ACME client failed silently (due to DNS changes, port blocks, or permission issues), the certificate expires without anyone noticing until connections start failing.
For commercial certificates that must be manually renewed, the renewal deadline was missed. Organizations often lose track of certificate expiration dates, especially when the person who originally set up the certificate has left.
If the system clock on the machine checking the certificate is set far in the future, a valid certificate will appear expired. This is uncommon on modern systems with NTP but can occur on embedded devices or VMs with clock drift.
Retrieve the certificate from the server and check its validity dates. The 'Not After' field shows when it expires.
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
If using Let's Encrypt, force a renewal. For commercial certificates, log into your CA's portal to reissue. Deploy the renewed certificate and reload the web server.
sudo certbot renew --force-renewal && sudo systemctl reload nginx
Investigate why automatic renewal failed. Check certbot logs, ensure port 80 or 443 is accessible for ACME challenges, and verify DNS records resolve correctly.
sudo journalctl -u certbot --since '30 days ago' --no-pager | tail -50
After renewing, verify the server is presenting the new certificate and that DNS is pointing to the correct server. Check propagation across multiple locations.
Check PropagationThe server's SSL/TLS certificate has expired or is not yet valid according to the system clock.
The certificate was rejected for a reason not covered by other specific TLS certificate alerts.
A certificate in the TLS handshake was corrupt, contained invalid signatures, or could not be parsed.