HSTS and expired certificate gotcha

Help
3

OK, thanks. The domain is thirskandmalton.greenparty.org.uk.

I've had no end of a struggle to persuade a browser to serve the non-SSL site. Browsers seem determined to switch to SSL and to refuse to forget about SSL. But I think I got there in the end.

The certificate renewal is being handled using dehydrated and DNS challenge. The output from the attempted renewal is:

./dehydrated --cron --force

INFO: Using main config file /root/certhelper/config

Processing thirskandmalton.greenparty.org.uk with alternative names: *.thirskandmalton.greenparty.org.uk

  • Checking domain name(s) of existing cert... unchanged.
  • Checking expire date of existing cert...
  • Valid till Dec 6 02:37:21 2020 GMT (Less than 30 days). Renewing!
  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting new certificate order from CA...
  • Received 2 authorizations URLs from the CA
  • Handling authorization for thirskandmalton.greenparty.org.uk
  • Handling authorization for thirskandmalton.greenparty.org.uk
  • 2 pending challenge(s)
  • Deploying challenge tokens...
    curl: (60) SSL certificate problem: certificate has expired
    More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
ERROR: deploy_challenge hook returned with non-zero exit code