No renew of expired certificate
We have a package that creates a self-signed certificate on first install if it isn't one present.
https://gitlab.nic.cz/turris/os/packages/-/blob/master/net/lighttpd-https-cert
But it should be extended ideally to check whether certificate is still valid and not currupted and if it is, regenerate it.
So this would need moving from uci-default script to proper init script run somewhere before lighttpd gets started.