I am running my init-letsencrypt.sh file on the server so it should create a new certificate with the given domain names. But when I check the used cert, it's still the old one.

My domain is: amap.perfotec.com

I ran this command:
#!/bin/bash

if ! [ -x "$(command -v docker)" ]; then
echo 'Error: docker is not installed.' >&2
exit 1
fi

domains=(amap.perfotec.com mapsync.perfotec.com hub.perfotec.com clmsv2.perfotec.com )
rsa_key_size=2048
data_path="./data/certbot"
email="j.kempe@ma-it.nl" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi

if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker compose -f docker-compose.prod.yml run --rm --entrypoint "
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1
-keyout '$path/privkey.pem'
-out '$path/fullchain.pem'
-subj '/CN=localhost'" certbot
echo

echo "### Starting nginx ..."
docker compose -f docker-compose.prod.yml up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
docker compose -f docker-compose.prod.yml run --rm --entrypoint "
rm -Rf /etc/letsencrypt/live/$domains &&
rm -Rf /etc/letsencrypt/archive/$domains &&
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo

echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done

Select appropriate email arg

case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac

Enable staging mode if needed

if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker compose -f docker-compose.prod.yml run --rm --entrypoint "
certbot certonly --webroot -w /var/www/certbot
$staging_arg
$email_arg
$domain_args
--rsa-key-size $rsa_key_size
--key-type rsa
--agree-tos
-v
--force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker compose -f docker-compose.prod.yml exec nginx nginx -s reload

It produced this output:
Existing data found for amap.perfotec.com. Continue and replace existing certificate? (y/N) y

Creating dummy certificate for amap.perfotec.com ...

...+++++++++++++++++++++++++++++++++++++++..+++++++++++++++++++++++++++++++++++++++.........+......+.....+.......+..............+...+.............+..+.......+...........+...+.+...+......+.....+......+...+...+......................+...+..+.+............+.................+............+...+...+...+.+.....+......+..........+..+................+......+...+......+.........+..+....+.....+.+.....+.+...+.....+....+..+.........+.+.....+...............+.+.........+.........+..+............+.+.....+......+.+...+.................+.........................++++++
..........+......+......+...+......+.....+..........+..+....+++++++++++++++++++++++++++++++++++++++.....+.+..............+...+......+...................+..+....+..+.......+.....+.+.....+.+......+...+.........+..+.+..+.............+...+.....+.......+.....+....+...+..+.+............+..+...+............+...+++++++++++++++++++++++++++++++++++++++.+.......+.....+......+.......+..+...+......+.+.........+.........+...+.....+.........+.........+....+.....+.......+......+..+......+.+.........+.....+.+......+........+..........+.........+..+..........+.....+......+.......+...........+.+...+.................+....+..+...+....+...+........+.+...+...+...+.........+..+......+.........+..........+........+................+......+.........+..+...+.+......+..+...+.........+.............+.....+.+...........+....+..+...+............+....+.........+......+.....+.+..+..........+........+...+......+.........+....+...+..+.+......+.....+...+......+.+........++++++

Starting nginx ...

[+] Running 3/3
Container clmsv2-db-1 Running 0.0s
Container clmsv2-web-1 Running 0.0s
Container clmsv2-nginx-1 Started 10.6s

Deleting dummy certificate for amap.perfotec.com ...

Requesting Let's Encrypt certificate for amap.perfotec.com ...

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for amap.perfotec.com and 3 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/....
Key is saved at: /etc/letsencrypt/....
This certificate expires on 2024-06-06.
These files will be updated when the certificate renews.

NEXT STEPS:

• The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See User Guide — Certbot 2.10.0.dev0 documentation for instructions.

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Reloading nginx ...

Please don't use this terrible script:

Thank for looking at my problem, I can change this things later. But for now I'd like to know why this script is not updating my certificate. On January the 17th, I executed this script after changing keytype to RSA and I received a new script. However I executed this script an hour ago with a change of the third domain-name and the ssl certificatie is still the one created on January 17th. I can't find any error in the output.
Can you please help me with that problem?

You got 2 certs for amap.perfotec.com domain today. Looks like you solved your problem.

Is there anything else you need help with?

Yes I runned my script two times. But the cert which is used for my webapp is still the old version
Any idea why this is not updated?

Where does your webapp look for the cert file? Was that location updated?

Does your webapp need to be restarted?

Are you just talking about nginx or some other web app?

Please give more info such as a URL that is not using the right cert

Where does your webapp look for the cert file? Was that location updated?
In the nginx.conf file, this file is not updated.
I just restarted my webapp and still the old version of the cert is used.
It is a Django app with nginx. amap.perfotec.com is the URL which works but I changed the init-letsencrypt.sh script. I wanted to add the hub.perfotec.com URL to the cert but that URL doesn't work.

Show the full nginx config, with:

nginx -T

Please post the entire output of the command using an uppercase T as was shown

That looks okay but we need to check your cert file locations to the nginx now

Please show output of
sudo certbot certificates
(omit sudo if do not need it)

What shows?:
certbot certificates

certbot certificates shows:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/amap.perfotec.com.conf produced an unexpected error: expected /etc/letsencrypt/live/amap.perfotec.com/cert.pem to be a symlink. Skipping.

Found the following certs:
Certificate Name: amap.perfotec.com-0001
Serial Number: 4348dd4f9ca6c8c314665354262894b1dea
Key Type: RSA
Domains: amap.perfotec.com clmsv2.perfotec.com maphub.perfotec.com mapsync.perfotec.com
Expiry Date: 2024-04-16 13:45:32+00:00 (VALID: 36 days)
Certificate Path: /etc/letsencrypt/live/amap.perfotec.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/amap.perfotec.com-0001/privkey.pem
Certificate Name: amap.perfotec.com-0002
Serial Number: 309773e9589808b9355e8313b602d689ec8
Key Type: RSA
Domains: amap.perfotec.com clmsv2.perfotec.com hub.perfotec.com mapsync.perfotec.com
Expiry Date: 2024-06-06 07:49:24+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/amap.perfotec.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/amap.perfotec.com-0002/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/amap.perfotec.com.conf

You have two certs that are almost identical:

And one renewal config that is invalid:

What shows?:
ls -l /etc/letsencrypt/live/amap.perfotec.com/*

no such file or directory on amap.perfotec.com but I was able to run the following command:

ls -l /etc/letsencrypt/live/amap.perfotec.com-0001/*

-rw-r--r--    1 root     root           692 Dec  7 10:46 /etc/letsencrypt/live/amap.perfotec.com-0001/README
lrwxrwxrwx    1 root     root            46 Jan 17 14:45 /etc/letsencrypt/live/amap.perfotec.com-0001/cert.pem -> ../../archive/amap.perfotec.com-0001/cert6.pem
lrwxrwxrwx    1 root     root            47 Jan 17 14:45 /etc/letsencrypt/live/amap.perfotec.com-0001/chain.pem -> ../../archive/amap.perfotec.com-0001/chain6.pem
lrwxrwxrwx    1 root     root            51 Jan 17 14:45 /etc/letsencrypt/live/amap.perfotec.com-0001/fullchain.pem -> ../../archive/amap.perfotec.com-0001/fullchain6.pem
lrwxrwxrwx    1 root     root            49 Jan 17 14:45 /etc/letsencrypt/live/amap.perfotec.com-0001/privkey.pem -> ../../archive/amap.perfotec.com-0001/privkey6.pem

I did this for the other cert too:

/opt/certbot # ls -l /etc/letsencrypt/live/amap.perfotec.com-0002/*

-rw-r--r--    1 root     root           692 Mar  8 08:42 /etc/letsencrypt/live/amap.perfotec.com-0002/README
lrwxrwxrwx    1 root     root            46 Mar  8 08:49 /etc/letsencrypt/live/amap.perfotec.com-0002/cert.pem -> ../../archive/amap.perfotec.com-0002/cert2.pem
lrwxrwxrwx    1 root     root            47 Mar  8 08:49 /etc/letsencrypt/live/amap.perfotec.com-0002/chain.pem -> ../../archive/amap.perfotec.com-0002/chain2.pem
lrwxrwxrwx    1 root     root            51 Mar  8 08:49 /etc/letsencrypt/live/amap.perfotec.com-0002/fullchain.pem -> ../../archive/amap.perfotec.com-0002/fullchain2.pem
lrwxrwxrwx    1 root     root            49 Mar  8 08:49 /etc/letsencrypt/live/amap.perfotec.com-0002/privkey.pem -> ../../archive/amap.perfotec.com-0002/privkey2.pem

It looks like you got a new cert named with -0002 because it had different names than your -0001 cert. But, your nginx still points to the -0001 cert.

You need to update nginx to point to -0002 and reload nginx.

If you no longer need the -0001 you should delete it with this. Make sure you don't need it though.

sudo certbot delete --cert-name amap.perfotec.com-0001

okay so I need to change the nginx.conf file manually from this
ssl_certificate /etc/letsencrypt/live/amap.perfotec.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/amap.perfotec.com-0001/privkey.pem;

to 0002?
And then restart the server.
In that case, is cerbot still able to renew the cert?

The script you use is awful and I don't care to learn it. So, I can't say for certain what it will do (or what it has done for that matter)

But, you can test individual Certbot renews like

sudo certbot renew --dry-run --cert-name amap.perfotec.com-0002

Okay I understand, thanks.

And to update nginx, is this the way?
change the nginx.conf file manually from this
ssl_certificate /etc/letsencrypt/live/amap.perfotec.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/amap.perfotec.com-0001/privkey.pem;

to 0002?
And then restart the server.

or is using this cerbot command a better way to solve this problem?
certbot certonly --cert-name amap.perfotec.com -d amap.perfotec.com hub.perfotec.com mapsync.perfotec.com clmsv2.perfotec.com

Yes

No, a certonly command only gets a cert. It does not modify the nginx config

Yes but in that case I can use the old cert which is updated by this command:
certbot certonly --cert-name amap.perfotec.com -d amap.perfotec.com hub.perfotec.com mapsync.perfotec.com clmsv2.perfotec.com
And nginx is using this updated cert.
Am I right?