An office equipment shop in Porto lost 78% of its organic traffic between Wednesday and Friday. Nobody had touched the site for weeks. The problem fit in a single log line: the SSL certificate had expired at 03:14 on Wednesday.
When Googlebot came back round that morning, it hit ERR_CERT_DATE_INVALID. It indexed nothing. Worse, it flagged the domain as unsafe for users clicking through results still held in cache. Within 48 hours, Chrome was showing the red warning screen before the homepage.
Why Google reacts so badly
HTTPS has been a ranking signal since 2014. Chrome has marked HTTP as "not secure" since 2018. An expired certificate is worse than HTTP — it is broken HTTPS. The browser reads that as an impersonation attempt, even if it is just acme.sh that failed to renew.
Googlebot treats a failed TLS handshake as a crawl error. It tries again, fails, tries again, fails. After a few hours it starts deindexing. Pages do not vanish from the index straight away, but they lose ranking because the trust signal has dropped to zero.
What actually happened
- 03:14 Wednesday — the Let's Encrypt certificate expires. The renewal cron had failed three times in the previous 30 days. Nobody saw the email.
- 08:00 Wednesday — the first mobile users see the red warning. Bounce rate spikes.
- 11:30 Wednesday — Googlebot passes through, fails the handshake, logs mass soft 404s.
- Thursday morning — Search Console fires a "coverage" alert. Nobody opens Search Console.
- Friday 09:00 — sales flatline. The client calls the developer. The developer spots the problem in four minutes.
The renewal itself took 90 seconds. Recovering the ranking took 23 days. During that window the competitor took the top spots on the main keywords and never fully let go of them.
Why the cron failed
The server had changed IP in January. DNS pointed correctly, but the Let's Encrypt HTTP-01 challenge was hitting a new firewall that blocked requests from the ISRG range. Each renewal attempt logged an error to a file nobody was reading.
This is the pattern. The certificate does not expire because renewal is hard. It expires because automatic renewal fails silently and nobody has alarms pointing at the right logs.
What you need to do today
- Monitor the certificate externally, not the cron. Use a service like UptimeRobot or StatusCake set to alert 14 days before expiry.
- Alerts go to Telegram or SMS, not email. The Let's Encrypt warning emails land in an inbox nobody checks.
- Open Search Console every week. If Googlebot is failing, it says so right there.
- Test the renewal manually once a quarter. If the cron works in production but not in staging, you have configuration drift.
- Document the emergency renewal procedure. When the site goes down on Friday at 6pm, you do not want to be learning acme.sh on the fly.
An expired certificate is the cheapest way to lose six months of SEO. It costs zero euros to prevent and three salaries to recover.— Internal post-incident audit, Porto client
The real cost
The shop took in 31 thousand euros less that month against the quarterly average. The developer who set up the server charged 180 euros to fix it. The cost of prevention had been zero — one extra health-check cron job and a webhook to Telegram.
If you sell online in Portugal and you still have no independent monitoring watching your own server's certificate, you are one failed renewal away from losing the quarter. This is not alarmism. It is arithmetic.
The rule is simple. Do not trust the cron that renews. Trust the external monitor that checks the cron actually renewed.