About 1.5 years ago I inherited a backend service that was originally built by a 3rd-party contractor and I don't fully understand how this aspect of the system works yet, so please bare with me. It's a Node.js + nginx service running on EC2 and Amazon Linux.
The service has been humming along for the past year and a half no problem and certbot has been automatically renewing certificates every month no problem... until now. Something happened during the last renewal that broke certificate pinning in one of our Android apps. After some digging it seems that for some reason the public key (chain.pem) changed, causing the signatures to be different and thus our app can no longer connect to our server.
For the time being, I temporarily updated the Letsencrypt symlinks on the server to point back to the previous certs (since they're still good for another 2 months) until I can figure out what to do. I've been reading up as much as possible about how all this works and have a general understanding, but it's still not clear to me why "all of a sudden" the public key would change during renewal and what the best course of action would be.
Should I try to "fix" the certs somehow so that they use the "old" public key once again? If so, how can I do this?
If this is not possible and we must update the Android app to recognize the new signatures, how would that even work? Wouldn't older versions of the app stop working forever with no way to self-update to the new version if it can't even connect to the server to get the new update? Seems like a chicken-egg/catch-22 scenario.
Just looking for a little guidance as I am way out of my wheelhouse here. Appreciate it, thanks!