I'm reasonably certain that it has been possible to use 'sslcert' measurements even when the certificate is expired. Today, I try to use 'sslcert' with trigger-happy.eu and it fails: "alert": { "description": 40, "level": 2 }, And no certificate in the JSON output (this is measurement #12166428) 40 is the very general "handshake failure" of TLS. <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-6> Was there a change in Atlas recently? The TLS server does reply: % gnutls-cli trigger-happy.eu Processed 167 CA certificate(s). Resolving 'trigger-happy.eu:443'... Connecting to '51.254.210.94:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=trigger-happy.eu', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x0359a66c5eb5da799afe079f87416f8d9641, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-13 10:46:26 UTC', expires `2018-04-13 10:46:26 UTC', key-ID `sha256:8216c7a7f221f3efcf7e7c3eb1760275d6ebf38d153b74992ee7864147b54435' Public Key ID: sha1:668c4506a393d9bb633590b68c05d878734d7ffe sha256:8216c7a7f221f3efcf7e7c3eb1760275d6ebf38d153b74992ee7864147b54435 Public key's random art: +--[ RSA 2048]----+ | +. o++ | | o +*.=.. | | .=o* . . . | | * B o | | . = S . | | = . . | | + E | | . . | | | +-----------------+ - Certificate[1] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', key-ID `sha256:60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18' - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate.