Thank you for your quick reply. However, a few things remain unclear for me:
Well, I don’t want to create the next certificate. I just want to renew one which expired yesterday. In other words, I’m running
certbot renew, not
certbot certonly ...
It is indeed likely that there is something wrong with the configuration, although it seems pretty standard for me: run
certbot renew once per day, then call
nginx -s reload. I suppose that there was maybe a change in a recent version of
certbot (maybe when it moved from ACME-v01 to ACME-v02?), so I have to double-check it. Thank you for your suggestion.
That, I know: the certificate was renewed the last time on March 30th. Recent updates possibly all failed due to the rate limits, and I ended up with a blocked domain.
The configuration worked well for years. However, I would agree with you if you say that it’s wrong not to monitor the expiration of the certificates, and to blindly trust
certbot, without even checking the logs, and waiting until the production monitoring tool tells that the website is not reachable any longer because the certificate expired. This was absolutely unprofessional from me.
certbot certificates lists only the last ones (the valid one with the wildcard, and the expired one for the site itself). From the backups, it looks like there are nineteen older certificates, but obviously, if the last one is expired, the previous ones expired as well.
So although you explained that there is probably a problem with my configuration, my original suggestion is still valid, I believe. I still would like to know whether I have to wait for the whole week to be able to renew the certificate (in which case it would possibly be a better solution to move to another CA, as 25% downtime for a month is a bit problematic), or not.