If that was done manually, then the renewal for it would also have to be done manually.
If you want to automate it [as you should], then we will have to begin at the beginning.
Like it's a brand new cert [not a renewal].
So...
Can your site be reached via HTTP?
Why did you use DNS-01 authentication previously?
I have ssh to my site with https, yes
I used it because this was the only way I figured out how to get those files created. I was even a more newbie back then.
I have no idea what is the difference between the certificates that I see in hestiaCP with an expiration of May 1st and the pem files (certbot certificates) that shows expiration 6 days from now.
I asked:
Some ISPs block HTTP but allow HTTPS.
yes, it can be reached via https
I don't care about HTTPS.
Can it be reached via HTTP?
HTTPS = port 443
HTTP = port 80
Oh, I have no idea, there's a redirection to https so even when I try http:// it automatically redirects to https:// I guess this is why I used dns challenge back then. For auto renewal I have to have access through http:80?
Can I create a new certificate now using a proper method so the renewal will work as expected? If so, how it should be done? You said that what I did previously was wrong so what is the correct one?
and btw I get certbot is already the newest version (1.12.0-2). when I run apt -y install certbot
It is the simplest method.
Do you have access to the web server configuration files?
That is the plan.
Try: https://certbot.com/
Simplest but secure?
If I can reach it using ssh or hestiaCP then yes.
ACME challenge requests and replies don't need to be encrypted.
So, yes, they are equally secure.
Try:
sudo nginx -T
or just:
nging -T
I think mine is apache and not nginx
curl -Ii stockdiv.com
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 24 Feb 2023 10:48:01 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://stockdiv.com/
OK, ran it and got a configuration file listed
by secure I mean in general, not specifically to this process
Care to show it?
OR
Should I use my crystal ball?
I'm doing four things at once...
You will have to use full sentences, if you expect me to understand and reply.
It's a very (very) long file, what about telling me what to look for and I paste here the relevant part?
I really don't have time for this.
Look for an HTTP vhost config / server block that covers the FQDN you need to secure.
Look within it for an exception for the challenge request.
If one doesn't exist then add it.
Also, take note of the root path used.
If one isn't used, then add one.
[be sure to use a secure/unique location - make one if needed]
From there, you can test [using --dry-run] using the --nginx plug-in [may require updating certbot - NO, that's NOT the lates version - just the latest APT version for that distro]
If that fails, you can try using certbot and --webroot
For details, search this site or read through the documentation OR ask questions and someone will answer soon enough.
Cheers from Miami 
[6AM time for bed]
I did the dns challenge again, put the relevant txt record and it works, thanks for your time, good night/morning.
I do have one question though, to whoever will see this
I now have 2 certificates, I was hoping it will override the old ones
Certificate Name: stockdiv.com-0001
Serial Number: 490dbe9bc2f1510a15f2dc10825de435e75
Key Type: RSA
Domains: stockdiv.com
Expiry Date: 2023-05-25 09:58:44+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/stockdiv.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/stockdiv.com-0001/privkey.pem
Certificate Name: stockdiv.com
Serial Number: 3c645ac85dd15cfb06024618e99100b2c93
Key Type: RSA
Domains: stockdiv.com www.stockdiv.com
Expiry Date: 2023-03-02 14:02:38+00:00 (VALID: 6 days)
Certificate Path: /etc/letsencrypt/live/stockdiv.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/stockdiv.com/privkey.pem
Your latest cert only has the one domain name in it. Your previous cert had two names.
That is why Certbot created the -0001 version
Your nginx server is still using the original cert files and not the -0001 version
You should re-issue your cert but with both names so it updates your original version. Then, you can delete the -0001 version
sudo certbot delete --cert-name stockdiv.com-0001