1) Quick identification: what error are you encountering?
Browser manifestation
“Not secure” (HTTP or SSL expired).
“NET::ERR_CERT_DATE_INVALID” (SSL expired/wrong clock).
“NET::ERR_CERT_COMMON_NAME_INVALID” (hostname does not match).
“HSTS error” (HSTS is enabled, browser prohibits access when SSL fails).
Shows at DNS/Domain layer
Access sometimes works, switches to “parking” page.
Email according to domain bounces (MX/DNS expired).
WHOIS reports domain Expired/On Hold.
Priority
P1: Store/order/login not accessible, certificate/HSTS/domain error occurred.
P2: Secondary resource (image/secondary CDN) mixed error content.
1 — Check real status (10’)Open https:// and http:// on another 4G/ISP, hide cache (Ctrl/Cmd + Shift + R).
Check SSL via tool like SSL Labs/Why No Padlock (to see certificate chain, expiry date, intermediate).
Check WHOIS domain (expiration date), DNS (NS/A/CAA), CDN/WAF (Cloudflare/…).
SSL managed by host (cPanel/Plesk/Managed hosting)
→ Log in to panel, re-issue/AutoSSL/Let’s Encrypt. (Cloudflare)Let’s Encrypt (HTTP-01)
Open port 80/443, turn off bot blocking if WAF/captcha is present.
certbot renew --force-renewalorcertbot certonly --nginx/--webroot.
Let’s Encrypt (DNS-01) (if blocking port 80/443 or wildcard)
Create TXT record according to ACME client instructions → issue cert wildcard
*.domain.com.
Commercial CA
Create new CSR (2048/3072-bit), verify (DNS/Email/HTTP), load cert + intermediate chain.
Update vHost/Nginx/Apache points to correct
fullchain.pem+privkey.pem.
Nginx/Apache reload:
nginx -t && systemctl reload nginxorapachectl configtest && systemctl reload httpd.Check padlock/point A at SSL Labs.
Edit mixed content (image/js/css URL is still
http://):Set 301 HTTP→HTTPS (site-wide).
Find & replace in code/DB (WordPress: use
wp search-replace).Use protocol-relative or
https://absolute.
If domain about to/expires: log in registrar → renew 1–3 years.
Renew privacy/DNS hosting if separating providers.
Check nameserver & A/AAAA are not changed; propagation ~ few minutes → 24h.
Test: home page, cart/checkout, login, payment webhook, transactional email.
Log fix time, root cause → update SOP.
Auto-renew domain: enable auto-renew + 2 backup payment methods; prompt T-30/T-7/T-1.
Auto-renew SSL:
Let’s Encrypt 60–90 days; cron:
certbot renewdate 2 am; send alert whendays.
Commercial CA: schedule reminder T-30 + owners/billing.
CAA record: specify valid CA (e.g.
0 issue "letsencrypt.org"), avoid unauthorized issuance.Redirect 301 required: HTTP→HTTPS, non-www↔www unified.
Clean chain: always install intermediate from CA; Check after each renewal.
HSTS:
Turn on after the site is 100% SSL stable (no longer mixed content).
max-ageis initially low (1–7 days), then gradually increases to 6–12 months; Consider preload when ready.
Clock: synchronize NTP for the server (wrong clock also causes SSL “expired”).
Monitoring:
Uptime + SSL expiry (PagerDuty/UptimeRobot): warning <14 day.
Ping to check transactions (checkout/login) every 5–10 minutes.
Asset book: domain, DNS, CDN, hosting, SSL, expiration date, contact support.
Decentralization: separation Owner/Billing/Tech; 2FA is mandatory for administrators.
P1 Playbook: shortened version of part 2 so that P1 night/WE staff can do it immediately.
Real check: HTTPS, chain, browser error, WHOIS.
Re-issue/renew SSL (Let’s Encrypt/CA/Cloudflare Origin).
SSL + expiry warning.SSL/TLS → Full (strict)
Origin Certificates → Create → install cert + key to webserver
Page Rules/Redirect Rules: HTTP→HTTPS (301)
Start website maintenance & response package to have P1 on call 24/7, clear SLA, automatic expiry/uptime monitoring: Web Maintenance Services – Tan Phat Digital.
Refer to the monthly maintenance process (check SSL/domain, backup, CWV, security) to prevent recurring problems.
Step 2 — Decide recovery path (15’)
→ Turn on “Full (strict)”, create Origin Certificate and install on the server, or re-issue Let’s Encrypt at origin.
Step 3 — Renew/Reissue certificate (20–30’)
Note HSTS: If HSTS is ever enabled, the browser does not allow HTTP access during SSL failures. So don't disable HSTS, renew SSL in the right chain as quickly as possible.
Step 4 — Test & reload service (10’)
Step 5 — Domain about to/expires (10–20’)
Step 6 — Smoke test & log (10’)
3) Preventive SOP (to prevent recurrence)
3.1 Cycle & automation chemical
3.2 “Unbroken” infrastructure broken”
3.3 Operations & responsibilities
4) Quick Questions (FAQ)
Does expired SSL cause SEO problems?
Maybe. The bot can still crawl, but users leave causing CTR, dwell time, and conversions to decrease. Long-term impact on signal quality.
I use Cloudflare, do I need to install SSL on origin?
Should use Full (strict): enable SSL at Cloudflare and install Origin Certificate/Let’s Encrypt at origin. Avoid “Flexible” because it can easily create mixed content/redirect loops.
Should HSTS be turned off when encountering problems?
No. If the browser has memorized HSTS, turning it off won't work immediately. The correct way is to renew/reapply the certificate.
Wildcard or not wildcard?
If there are multiple subdomains, choose wildcard (DNS-01). If just www + root, single cert is enough.
5) Checklist “wallpaper” for operations team
P1 — Restore immediately
7) Add/adjust CAA; Confirm clock/NTP.
8) Turn on safe HSTS (small max-age), gradually increase when stable.
P3 — During the week
9) Add transaction monitoring & ping.
10) Update asset book + reminder schedule; Quarterly P1 drills.
6) Quick Deployment Suggestions (WordPress/Cloud)
WordPress + Nginx
# Check certificate expiration
sudo certbot certificates
# Urgent extension
sudo certbot renew --force-renewal
# Or new release according to server block
sudo certbot --nginx -d domain.com -d www.domain.com
# Check & reload
sudo nginx -t && sudo systemctl reload nginx
Cloudflare (Origin TLS)
7) When you need a “fire brigade”
If the site is the source of life (orders/bookings), every hour of “Not secure” = lost revenue + lost trust. You can:
Share
