The recommendation is that if the clientsecret is already expired and generating new clientsecret and after waiting for 24 hours still App fails with above error, it is time to clean those lingering secrets for a particular ClientId, generate a new clientSecret. Below steps will walk you through that process.
Identify the ClientId for which ClientSecret is expired. You can find the clientId in Site App Permissions if the app is still installed. If not, you can find it in the web.config of the remote web application. say ClientId is 29b6b386-62a6-45c7-beda-abbaea6eecf2
Connect to MSOnline using tenant admin user with below powershell in SharePoint 2013 powershell
$msolcred = get-credential
connect-msolservice -credential $msolcred
Get ServicePrincipals and keys. Printing $keys will give 3 records. While running this script if you get ReturnKeyValue without any output, hit enter on powershell prompt and 3 keys will be printed.
The output is the $newClientSecret. Copy it and replace the old ClientSecret with this one. Make sure ClientId in there is the same we are using throughout. Please note we don’t need SecondaryClientSecret appsettings in here.
Try browsing the app and see if it works, we have seen varied results, most of the time it works, if not wait for 24 hours to propagate ClientSecret to SPO.