I have web-server (nginx) with LE-certificate up & running, but now I'd like to switch to using the same private key when renewing certificate. Certbot has "--reuse-key" option, so this should be probably used when renewing certificate.
I checked /etc/cron.d/certbot expecting to find there command being run for renewing certificate, but there is note saying:
"This cronjob will NOT be executed if you are running systemd as your init system"
I'm running Debian with systemd, so checked "systemctl show certbot.timer", but it does not show command being run. I also checked /etc/systemd/system/timers.target.wants/certbot.timer, but even there is nothing about command being run.
"systemctl list-timers" shows certbot.timer active (running twice a day) and "systemctl status certbot.service" does not report any problem.
So my question is:
How can I force certbot (from now on) to use the same private key when renewing certificate?
@rg305's suggestion is correct, /etc/letsencrypt/cli.ini parameters appear exactly as they do on the command line.
The per-certificate renewal parameters in /etc/letsencrypt/renewal/*.conf feature different syntax and options. The confusion is easy because there is an overlap. A certificate can have reuse_key set in its renewal parameters, but this is different to globally setting --reuse-key in cli.ini.
I can confirm --force-renewal is required to amend the renewal configuration, if the certificate is not yet due for renewal. The part of documentation that Osiris linked to goes into some detail about this.