nginx + Pihole -> DNS over TLS => Certificate Expired

Question

I have a public Pi-Hole running with nginx as proxy for DNS Over TLS. So far everything has worked great. Unfortunately, my Android smartphone can no longer establish a connection.

Via Wireshark I found out that the connection is aborted because an expired certificate is issued. I have issued a new certificate via Certbot - just to be on the safe side - but a supposedly expired certificate is still issued.

My nginx config:

upstream dns-servers {
    server 127.0.0.1:53;
    server [::]:53;
    }

server {
    listen 853 ssl;
    listen [::]:853 ssl;

    ssl_certificate /etc/letsencrypt/live/sub.mydomain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/sub.mydomain.com/privkey.pem; # managed by Certbot

    ssl_dhparam /etc/letsencrypt/dhparam-4096.pem;
    ssl_protocols        TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_session_cache               shared:DoT:10m;
    ssl_handshake_timeout 10s;
    ssl_session_timeout 4h;
    ssl_session_tickets             off;

    proxy_pass dns-servers;
    proxy_connect_timeout   1s;
        preread_timeout         2s;

    }

Wireshark:

Transport Layer Security
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Expired)

With Stubby on the Windows system, I can connect without problems.

Yes, port 53 is blocked and not usable from outside ;)

I have also set up a website that is normally accessible via HTTPS and included the same certificate. There Android also says that everything is ok.