Yes certs expire (expiration is configurable). Large deployments will run an online CA that has some external means of verifying the identity of a host.
Rotation is straight forward. Add the new cert and reload the process (no restart required). Large deployments automate this process (which is easy with an online CA).
https://barim.us/post/2022-07-13-experimenter-nebula-mesh-pa...
Submitted 30 days ago: https://news.ycombinator.com/item?id=33123953 (sadly, no discussion)
This is a nice write-up covering getting going with Nebula in real life!
There was a mega discussion of Slack's Nebula 3 years ago after it was initially open sourced:
https://news.ycombinator.com/item?id=21575614 (213 points, 66 comments)
WireGuard was discussed in the context of Nebula:
https://news.ycombinator.com/item?id=21577344
My takeaway then and now remains the same; I'm not clear on which circumstances Nebula would be preferable to WireGuard.
All the SSL certificate management with Nebula seems like a potential operational pain in the neck.