we are using the certbot at least like 2-3 years already, and each 3 months or how often I do the manual renewing of the certificate.
I do it like this in the cmd line:
certbot -d *.site.com -d site.com --manual --preferred-challenges dns certonly
Then the site owner adds the DNS txt records and I confirm the command.
So far it always worked. Also when I did it last time, it said success also.
After the cmd above I do also this command:
service apache2 reload
Then I check the certificate information by clicking the lock icon in the desktop Chrome, to verify new certificate is installed.
Also when I did it last time, I saw the new certificate there. But then very serious problem happened.
When calendar date moved the way that the old SSL certificate expired, the site stopped working in many browsers.
We discovered it with the site owner like 3 days after.
Notice that he is running popular site with like 500k+ visitors or something, and that this site is paying my living btw. (I am 100% dependant on it)
So very serious problem happened, that in SOME browser was the new certificate, and in many or most of them there was the OLD certificate not valid already, and the visitors have substantially dropped.
When I checked the site in other browser on my desktop eg Safari, there was really the warning that the certificate has expired. Also in the Safari on the iPhone and in the Chrome on the iPhone.
Also btw notice, that it seems it is not possible to check the certificate info in the iPhone browser in advance as in the desktop browsers, so that is quite problem too.
Anyways how this problem could have happened, that in my desktop Chrome it was fine and in majority of browsers there was the old certificate?
This is first time, this problem happened. Is the code of certbot somehow changed now that could have caused some problem?
I repeat that for us this is a serious problem. We need to work it flawlessly as it worked so far.
What I did when the site owner told me about the problem was, that I ran these commands:
service apache2 reload
service apache2 restart
But I am 100% sure, I ran the reload before, and that I saw the new certificate in the Chrome before, and as I say, so far was never problem with this and I was always using so far only apache reload.
Also is there some way how to analyze how much visitors / browser have been affected to be displayed the browser warning "this is not a safe site", to have the ssl issues? Via Google analytics or Apache log or something?