First of all do not manage mailcow as normal or sudo user, allways use root
su
umask
0022 # <- Verify it is 0022
Second expiry-dates.sh
most-likely load some variables from mailcow.conf
in first run without sudo you got Permission denied
so what exactly is expiring who knows??
Third, you are using external certificate right? So are you sure you combined your certificates and key and copy them to data/… like this right?
Edit: And again you need to be root (as my First) otherwise your cert and key may not be loaded and used old one (just a guess)