TLS-EXPPKI / Security

TLS Certificate Expiry — Service Unavailable

An expired TLS certificate causes browsers and API clients to reject connections with a certificate validation error, rendering the affected endpoint completely unreachable.

Root Cause & Remediation

Failed certificate renewal automation (ACME / Let's Encrypt / internal CA), missing renewal alerts, or a manual certificate that was not rotated before expiry. Certificate pinning in mobile clients can extend the outage beyond the renewal itself.

Remediation steps

1Issue an emergency certificate via your CA or Let's Encrypt certbot --force-renewal.
2Deploy the new certificate to all load balancers, CDN edges, and API gateways.
3Flush CDN and application-layer TLS session caches.
4Verify renewal automation (certbot timer, cert-manager CronJob) is healthy and alerting.
5Audit all certificates expiring in the next 30 days using your certificate inventory tool.

DORA Risk Matrix

Typical classification

MAJOR INCIDENT

Likelihood: High
Blast radius: 100% of external clients are blocked; internal service-to-service calls using mutual TLS also fail.
CIF impact: Login, API access, and any browser-facing CIF become immediately unavailable.
Analyst notes: Certificate expiry is entirely preventable and regulators view it as a governance failure. Outages are typically short if on-call response is fast, but the total client impact often exceeds the 10% threshold instantly.

Security Context

Reputational Impact: Relevant media coverage, significant volume of client complaints, or proactive contact from a competent authority.

Ready to classify this incident?

Use the DoraPulse Triage Calculator to instantly determine if this event breaches DORA materiality thresholds and generate a ready-to-file regulatory draft for your internal compliance team.

Open Triage Calculator — Pre-filled for TLS Certificate Expiry — Service Unavailable