The SSL cert that expired on a Sunday

💻 💬

🩺 Summary

Sunday morning. Coffee in hand. Browser says: Your connection is not private. Cert expired 3 hours ago. Let's Encrypt auto-renewal failed because certbot was configured for the wrong domain variant. 15 minutes of panic, one certbot --force-renewal, and a nginx reload later we were back.

📝 Details

Certbot was for ainomam.com (non-www) but nginx served www.ainomam.com. The cert kept renewing for the wrong domain.
Set up weekly certbot renew --dry-run via cron. Add SSL expiry monitoring to daily report.