Cert Renewal Not Working Anymore

I used to run this command to renew my cert:

root@revproxy-2017:~# letsencrypt certonly --renew --email system.admin@mydomain.tld -a manual -d service.mydomain.tld --agree-tos --manual-public-ip-logging-ok

This works for a long time, now it triggers the following error:
certbot: error: ambiguous option: --renew could match --renew-by-default, --renew-with-new-domains, --renew-hook

What am I doing wrong?
Thanks for you help.

Hi @steffi

perhaps your certbot is too old, if you use letsencrypt. So update your Certbot.

There is a standard template from #help


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version gives me certbot 0.23.0
My web server is apache 2.4.18, my os is ubuntu 16.04.

Could you please tell me, why I am receiving the above error message? Am I receiving this error message because my certbot too old? Or is there another reason?

Is my syntax in the above command wrong? 3 Months ago it used to work with exact the same syntax when I renewed the cert last time…


That's too old.

You may have used tls-sni-01 validation, that's not longer supported. So you need to switch to http-01 validation.

Remove these parameters, they are too old. Check


to an updated version.

You don’t need to pass a “--renew” argument. You can just remove it.

If it was previously short for --renew-by-default – now called --force-renewal – you could explicitly pass --force-renewal, but the only purpose of that argument is to force Certbot to renew a certificate that isn’t very old, which you likely don’t want or need to do.

Just out of curiosity, why are you using manual mode? Why not use one of the automated plugins? Then you wouldn’t have to manually renew at all.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.