An expired or self-signed SSL certificate triggers browser security warnings that block every user from accessing the site, destroying conversions and search engine trust simultaneously. CWE-295 and OWASP A02 both flag unvalidated certificates as a critical attack surface: a lapsed cert is trivially exploitable by any network-path attacker via downgrade or MITM. Most vibe-coded projects rely on hosting platforms for automatic provisioning, but custom server deployments or certbot misconfigurations can silently fail to renew, leaving the site offline on a Sunday at 3am.
Critical because a lapsed certificate takes the entire site offline for all users and opens every in-flight session to network interception under CWE-295.
Verify SSL validity and expiry before launch, then confirm automatic renewal is in place.
# Check certificate expiry
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
For managed platforms (Vercel, Netlify, Fly.io, Railway, Render, Cloudflare), SSL is auto-provisioned and renewed — no action required beyond deploying with a configured domain. For self-managed servers, install Certbot with a daily renewal cron: certbot renew --quiet. For container deployments, use Caddy as a reverse proxy — it handles certificate lifecycle automatically.
ID: pre-launch.infrastructure.ssl-valid
Severity: critical
What to look for: Enumerate all SSL/TLS configuration signals. Count certificate references in deployment config and verify the certificate covers the production domain. Check whether the project is deployed on a platform that provides automatic SSL certificate provisioning and renewal (Vercel, Netlify, Cloudflare, Fly.io, Railway, Render all do this automatically). Check deployment configs for any manual SSL certificate configuration or certificate file references. Check for certificate expiry handling in any custom server configurations.
Pass criteria: The project deploys on a platform with automatic SSL provisioning, OR there is explicit certificate management configuration in the deployment setup with renewal automation. SSL certificate must be valid for at least 30 days before expiry.
Fail criteria: The project uses a custom server or self-managed hosting with no evidence of SSL certificate automation. Certificate files referenced in config with no renewal mechanism.
Skip (N/A) when: Never — all public-facing web projects require SSL.
Cross-reference: For DNS configuration, see dns-configured. For HTTPS enforcement, see the Security Headers audit.
Detail on fail: "No automatic SSL provisioning detected — custom server configuration references certificate files without renewal automation"
Remediation: An expired SSL certificate takes your site offline for all users and destroys search engine trust. Use a platform that handles this automatically:
# Verify SSL validity (run from terminal)
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates
certbot renew --quiet runs daily.After setup, test your SSL configuration at https://www.ssllabs.com/ssltest/ to verify the certificate is valid and the configuration is sound.
For a deeper analysis of transport security, the Security Headers & Basics Audit covers SSL configuration and HSTS in detail.