Or possibly not expired, broken. FF refuses to continue with SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, but Chromium shows the certificate as in date, but reports NET::ERR_CERT_INVALID.
Both. I knew that it would expire and it didn't automatically renew (Let's Encrypt's services were wonky and returned an HTTP 500 error it seems), but I forgot about it over personal machine failures.
The error you've seen was me putting an invalid precertificate instead of a regular one in there, because I messed up the renewal script and created new certificates which were promptly overwritten until Let's Encrypt's rate limiting kicked in.
Everything should now be working fine again, and hopefully also automatically renew even in case of intermittent failures.
Mihai