I run Certbot and NGINX on docker and I got a problem with the certificate after renewal.
My Android app is running with certificate (A) which will expire in 10 days, Certbot auto-renew the certificate and got the new one (B) then I update my App with the new one (submit to store). While my app is waiting for store review, unfortunately, the older version of my App cannot connect to the server with the old certificate(A) which does not expire yet. I cannot revert to the old certificate (A) on the server because the Reviewer will reject my App for the reason cannot connect to the server with certificate (B)
p/s: I try a case to replace the certificate with the very old one (C) which was expired and the result makes me feel very confused, the App can connect to the server with certificate (C). I do not have much experience in this field
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Hi @neonguyen, and welcome to the LE community forum
Can you show the exact error message?
Have you checked the time/clock on your client?
[if the time is behind the issued time of the certificate, then it should be considered "not yet valid" (and fail)]
Currently, NGINX is pointing to certificate A. The old app can work fine. but it will expire in 4 days, Then my Android App needs to replace certificate B. Google reviewer will reject the app because NGINX is pointing to certificate A. Then I have to change NGINX config to certificate B (in /etc/letsencrypt/live folder) for Google Review. At that time. The old app cannot run with certificate A because NGINX is pointing to certificate B ( B is renewed from A)
This is my problem now. I need to update the App with the certificate B but the old app still needs to run with certificate A until the App is approved by Google Reviewer
I see you are now using the newer cert on your site.
I think you are not using certs the right way. The client app just relies on the CA Trusted Root store provided by the Android system. It should not have its own copy of the "leaf" cert used on your server.
Sometimes it is necessary to add a cert to the CA trusted store but this is unusual. And, is not necessary with Let's Encrypt as it has been included on Android for a long time.
If you are having comms problems to the server a forum for app development might help. If you think it is related to the certs please provide more details.