It was the second (automatic) extension.
The course was somewhat like this:
A) first certificate created by LetsEncrypt - no problems
B) new certificate created due to domain changes (add subdomain and another domain) - no problems
C) first (automatic) renewal of the certificate - no problems
D) second (automatic) extension - certificate is accepted in Sogo, Nextcloud and all services, the administration page is rejected as invalid
There is also not the new certificate specified, but the expired.
Think it is the files in the following directory:
These would have to be re-generated as a rule, if the certificate is extended.