--force-renewal, --renew-by-default
If a certificate already exists for the requested
domains, renew it now, regardless of whether it is
near expiry. (Often --keep-until-expiring is more
appropriate). Also implies --expand. (default: False)
If it was simply trying to "renew", it would not "create" anything "new". Except for the weird case where you explicitly tell certbot to renew even when it can't validate all the names on the cert [see: --allow-subset-of-names].
When that happens, certbot will be forced into creating a new cert - because all the names are not being included in this new request.
I didn't understand this. We are using certbot certonly command. When client requests for renewal, the option --force-renewal is appended to it.
So, you are saying that without --force-renewal , the suffix -0005 would be created ?
And if --force-renewal can't renew any cert due to broken links, it won't do anything, right ?
I don't think --force-renewal is causing the -000x numbers.
It only speeds up the (broken) renewal process by forcing it to happen immediately [not at the next regular schedule].
Thanks for clarifying this. So in my case certbot certonly would have created those suffixes when it found broken certificates.
I came across a similar thread and this one
What would be the behavior of certbot certonly if the certificate links aren't broken ?