Dovecot didn't have the new certificate but was still serving an old one, now expired.

Check:
openssl s_client -connect mail.nasqueron.org:993 < /dev/null | openssl x509 -noout -subject -issuer -dates -serial

We solved that directly on the server doing those steps:

• Dovecot configuration: update filename from privkey.pem to key.pem (Certbot -> acme.sh change)
• Common group mail with 3 users: -> D3712 as candidate
  • postfix (already set up)
  • dovecot (to read key.pem)
  • acme (so they can set the file with the right group)
• Permissions:
  • /var/certificates 700 -> 711 (D3712)
  • /var/certificates/mail.nasqueron.org group wheel -> mail, group chmod 700 -> 750 (D3712)
  • /var/certificates/mail.nasqueron.org/key.pem chmod 600 -> 640 (still to do)

Salt configuration need to be updated accordingly.