How an expired SSL certificate pulled your store from Google in 48 hours

An office supply store in Porto lost 78% of its organic traffic between Wednesday and Friday. Nobody had touched the site in weeks. The problem fit on a single log line: the SSL certificate had expired at 03:14 on Wednesday.

When Googlebot came back to the site that morning, it hit ERR_CERT_DATE_INVALID. It indexed nothing. Worse, it flagged the domain as unsafe for users clicking through cached results. Within 48 hours, Chrome was showing the red warning screen before the homepage.

Why Google reacts so badly

HTTPS has been a ranking signal since 2014. Chrome has marked HTTP as "not secure" since 2018. An expired certificate is worse than HTTP — it's broken HTTPS. The browser reads that as an impersonation attempt, even when it's just acme.sh that failed to renew.

Googlebot treats a failed TLS handshake as a crawl error. It retries, fails, retries, fails. After a few hours it starts deindexing. Pages don't drop from the index immediately, but they lose ranking because the trust signal fell to zero.

What actually happened

1. 03:14 Wednesday — the Let's Encrypt certificate expires. The renewal cron had failed three times in the previous 30 days. Nobody saw the email.
2. 08:00 Wednesday — the first mobile users see the red warning. Bounce rate spikes.
3. 11:30 Wednesday — Googlebot crawls, fails the handshake, logs soft 404s at scale.
4. Thursday morning — Search Console sends a "coverage" alert. Nobody opens Search Console.
5. Friday 09:00 — sales are flat. The client calls the developer. The developer finds the problem in four minutes.

The renewal itself took 90 seconds. Recovering the ranking took 23 days. During that window the competitor took the top positions for the main keywords and never fully gave them back.

Why the cron failed

The server had changed IPs in January. DNS pointed correctly, but the Let's Encrypt HTTP-01 challenge hit a new firewall that blocked requests coming from the ISRG range. Each renewal attempt wrote an error to a log nobody read.

This is the pattern. Certificates don't expire because renewal is hard. They expire because the automated renewal fails silently and nobody has alerts pointed at the right logs.

What you need to do today

• Monitor the certificate externally, not the cron. Use a service like UptimeRobot or StatusCake configured to alert 14 days before expiration.
• Send alerts to Telegram or SMS, not email. The Let's Encrypt warning emails land in an inbox nobody checks.
• Open Search Console every week. If Googlebot is failing, it's written right there.
• Test the renewal manually once a quarter. If the cron works in production but not in staging, you have configuration drift.
• Document the emergency renewal procedure. When the site goes down at 6 PM on a Friday, you don't want to be learning acme.sh.

An expired certificate is the cheapest way to lose six months of SEO. Costs zero euros to prevent and three salaries to recover.— Internal post-incident review, Porto client

The real cost

The store booked 31,000 euros less that month against its quarterly average. The developer who set up the server charged 180 euros to fix it. Prevention would have cost nothing — one extra health check cron and a Telegram webhook.

If you sell online and don't yet have independent monitoring watching your own server's certificate, you're one failed renewal away from losing the quarter. This isn't alarmism. It's arithmetic.

The rule is simple. Don't trust the cron that renews. Trust the external monitor that verifies the cron renewed.