Poor me I’m confused. Certbot appears to be renewing my certs
but then failing to stitch them into the fabric of
symbolic links correctly. At least that’s my impression.
I’m hoping that somebody will say: “Silly boy, you
just need to …”; you know like “dude, you missed this
bit of the documenation!”
Here’s what I hope is a simple view of the situation I observe
after renewing some certs. Let’s look at just one cert, and
just one aspect of that, the privkey.
The good news is that after the renewal I have a nice certificate:
Oh, when I first ran the certificates command certbot mentioned a lot of
Renewal configuration file /Users/b.../letsencrypt-tools/letsencrypt/renewal/devel.example.io-0001.conf produced an unexpected error: expected ... to be a symlink. Skipping.
./my-certbot --help
...
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
...
I’m betting that the use of certonly is why I have a -0001 and a -0002; and the update is taking place in -0002 while live is linked (somehow) to -0001. I sure do seem to be accumulating a lot of privkey#.pem.
That's probably why the updates aren't happening where you expect. Certbot never updates certificate lineages whose renewal configuration files have been deleted because as far as it's concerned, those certificates are no longer managed by Certbot at all.
One option is to change your web server configuration to point at the -0002 version, which you've observed is updating properly.