I seem to have trouble understanding how the renewal exemption applies to the rate limit.
After hitting the "Certificates per Registered Domain (20 per week)" limit, I cannot issue a new certificate for my domain. But still I can renew old ones, "Even if you’ve hit the limit for the week, you can still issue new certificates that count as renewals."
However, the order of issuing new certificates and renewing the old ones seem to matter. Let's say that I'd like to create 10 new certificates, and there are 15 certificates to renew, all for the same subdomain (but for different clients).
If I create the 10 new certificates (10× certbot-auto certonly), and then I renew the old ones (1× certbot-auto renew), all requests are successful. I created a total of 25 new certificates, which is more than 20, but 15 of those were renewals.
However if I renew the 15 old certificates (1× certbot-auto renew), then I try to create the 10 new ones (10× certbot-auto certonly), only the first 5 will be successful, because after 15 renewals + 5 new ones, I hit the limit of 20 per week, and I get an error message.
Is this the way how the rate limit is handled? The strange thing is that if I issue the commands in the "new-and-then-old" order, the load for Let's Encrypt servers is 25 certificates, ie. I am allowed to go above 20. But when issuing the commands in the "old-and-then-new" order, I am limited after 20, even if the number of requested certificates would have been the same, 25 of them.