Comment by remram

There's never a reason to cut it as close as a few days. If you had a sensible plan, you would have enacted it weeks before so as to not get into this situation. Even letsencrypt, with its famously short-lived certificates, is supposed to renew 30 days before expiry.

I have been bitten with this before. I had a good plan, and had actually renewed that one but hadn't reloaded nginx. That's the day I found out that uptimerobot alerts you if your site goes down, but stays willfully silent if it's technically up but using an expired or invalid certificate.