Cert expired only on MacOS and iOS devices and browsers

My domain is: muslimathleticassociation.org and muslimathleticassociation.org:3001

I ran this command: sudo certbot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: muslimathleticassociation.org
2: www.muslimathleticassociation.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/muslimathleticassociation.org-0001.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/conf.d/muslimathleticassociation.org.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/muslimathleticassociation.org.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/muslimathleticassociation.org.conf
Failed redirect for www.muslimathleticassociation.org
Unable to set enhancement redirect for www.muslimathleticassociation.org
Problem in /etc/nginx/conf.d/muslimathleticassociation.org.conf:
 tried to insert directive "[['if', '($host', '=', 'www.muslimathleticassociation.org)'], [['return', '301', 'https://$host$request_uri']]]"
 but found conflicting "[['if', '($host', '=', 'www.muslimathleticassociation.org)'], [['return', '301', 'https://muslimathleticassociation.org$request_uri']]]".

IMPORTANT NOTES:
- We were unable to set up enhancement redirect for your server,
however, we successfully installed your certificate.
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/muslimathleticassociation.org-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/muslimathleticassociation.org-0001/privkey.pem
Your cert will expire on 2022-01-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"  

My web server is (include version): Nginx and node

The operating system my web server runs on is (include version): Ubuntu 18.04.04 LTS bionic

My hosting provider, if applicable, is:amazon lightsail

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

For some reason, my registration form at Basketball Registration - MAA is not working because the certificate is deemed invalid. I keep receiving NET::ERR_CERT_DATE_INVALID whenever I hit my API endpoint at port 3001. I have refreshed the node server that is running my API and I've reloaded nginx after renewing the certificate. I'm really stumped as to why this issue happens on mac and ios devices but not on windows chrome (or as far as I know, linux).

Hi @osamaramihafez and welcome to the LE community forum :slight_smile:

The nginx web server on port 443 is working well and is using the default trusted path chain:

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = muslimathleticassociation.org
verify return:1
CONNECTED(00000005)
---
DONE
Certificate chain
 0 s:CN = muslimathleticassociation.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

The Express web server on port 3001 is not serving any chain at all:

depth=0 CN = muslimathleticassociation.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = muslimathleticassociation.org
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = muslimathleticassociation.org
   i:C = US, O = Let's Encrypt, CN = R3
---
2 Likes