I'm afraid that's not true..
(venv) osiris@erazer certbot $ certbot_test certonly --webroot -w /tmp/ -d example.com
(...)
Successfully received certificate.
Certificate is saved at: /home/osiris/github/certbot/.certbot_test_workspace/conf/live/example.com/fullchain.pem
Key is saved at: /home/osiris/github/certbot/.certbot_test_workspace/conf/live/example.com/privkey.pem
This certificate expires on 2027-03-13.
These files will be updated when the certificate renews.
(...)
(venv) osiris@erazer certbot $ sha256sum .certbot_test_workspace/conf/renewal/example.com.conf
896d72107654f74614f4fdadfde555552ad66a66caedbb697f1843628e96f4e0 .certbot_test_workspace/conf/renewal/example.com.conf
(venv) osiris@erazer certbot $ certbot_test renew --keep --cert-name example.com --must-staple
(...)
Processing
/home/osiris/github/certbot/.certbot_test_workspace/conf/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/home/osiris/github/certbot/.certbot_test_workspace/conf/live/example.com/fullchain.pem expires on 2027-03-13 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(venv) osiris@erazer certbot $ sha256sum .certbot_test_workspace/conf/renewal/example.com.conf
896d72107654f74614f4fdadfde555552ad66a66caedbb697f1843628e96f4e0 .certbot_test_workspace/conf/renewal/example.com.conf
(venv) osiris@erazer certbot $ grep must_staple .certbot_test_workspace/conf/renewal/example.com.conf
(venv) osiris@erazer certbot $
No must_staple option added to the renewal configuration file. Only when using --force-renewal as stated in the documentation: User Guide — Certbot 1.24.0 documentation