*** TL;DR Chrome seems to be caching the expired cert, not loading current one. Firefox does not.
Ok… not so simple. Maybe someone has an idea. The cert was not expired, it’s a normal letsencrypt cert (via dehydrated) renewed automatically and symlinked the way it does so an update redoes the link to the new cert.
Yes, I have restarted nginx to pick up the new cert. I have deleted the old certs from the standard dehydrated location ( /var/lib/dehydrated/certs/ ) so the only existing cert is the current, unexpired one.
I have tried pointing the jitsi vhost ssl_certificate directives to the literal (not symlinked) path, does not help.
I run my jitis main web interface on a custom port (443 is not used on the server). So, to test the cert another way, I created a new vhost on port 443 and pointed it to the same certs. Works fine!
Something about the jisti vhost (or other nested config) is causing nginx to serve an old, no longer existing certificate on my jisti vhost but serves correctly on a test vhost. ONLY ON CHROME!
Everything was auto-updating and working fine for years. The cert which shows in Chrome expired in Feb 2021.
Oh! More info - if I load jitsi on Firefox and check the cert, it is the correct cert! Chrome has cached something?