I am also experiencing this certificate renewal problem. Today I had once again the issue, that the certificate was invalid.
That happens, if the automatic renewal process fails three times in a row. For me it seems, the monthly update by the cron-script is always failing, but I can’t figure out why.
A while ago, someone of the Univention staff told me, that it might be caused by the time, the script / renewal is executed. If the LE-server is very busy at this time, or something else causes a lag in communication, the renewal request runs into a timeout. Unfortunately, the script doesn’t try again to renew the certificate, if it fails. It will only run again after one month.
To work around this problem, it was suggested, to change the time the cronjob is executed. To do so, you can modify the file /etc/cron.d/univention-letsencrypt
Or much better: directly change the template in /etc/univention/templates/files/etc/cron.d
Otherwise your configuration might be overwritten by an update or a change to the UCR.
If you change “30 3 1 * *” to “44 4 1 * *”, the script will not longer run at 1st of month at 3:30 am, but at 4:44 am.
I also copied the line and added excution times for 2nd and 3rd of month. I think it shouldn’t matter how often you try to renew the certificates, one successful attempt will be enough, even if it is followed by failed attempts.
In three month I will report, if this workaround is working
It is a good idea not to change the original univention template but to make a new cron job with an additional date or time so that the system diagnostic don‘t cry.