SSL Certificate Expired

What This Check Does

The SSL Certificate Expired check detects when your domain's SSL/TLS certificate has passed its expiration date. DNS Spy connects to your domain over HTTPS, retrieves the certificate, and checks whether the current date exceeds the certificate's notAfter field. When it does, this check fails and a critical incident alert is raised.

Why It Matters

An expired certificate is an active incident. All major browsers display a full-page interstitial warning that prevents users from accessing your site without manually clicking through an "Advanced" bypass — something most users won't do. HSTS-enabled domains may be completely inaccessible. APIs and webhooks that enforce TLS validation will fail outright, breaking integrations.

Beyond the immediate access problem, an expired certificate signals to users and partners that your security practices are unreliable. Recovery requires immediately obtaining and installing a new certificate, which can take minutes to hours depending on your infrastructure.

Good vs. Bad Configuration

Bad Configuration

The certificate for example.com expired 2 days ago. Visitors are seeing "Your connection is not private" errors. The team was unaware because renewal reminders went to a shared inbox no one monitors.

Good Configuration

A new certificate has been issued and installed for example.com. DNS Spy detects the valid certificate with a future expiration date and automatically resolves the expired certificate alert.

How DNS Spy Monitors This

DNS Spy immediately raises a critical incident when it detects an expired certificate. Alerts are sent through all configured notification channels. The check continues running on its normal cycle, and the incident is automatically resolved once DNS Spy detects a valid, non-expired certificate on your domain.