I've been finding some domains are getting out of date certs on visiting them even though there is a current cert - and it appears to be because Certbot is auto-renewing certs: Certbot has set up a scheduled task to automatically renew this certificate in the background which is what you get whenever you create a new cert now.
However I have my own script to deal with renewals as a number of steps have to be taken, so how can we disable auto-renewal for all domains, existing or any created in future?
All I can see is to add --no-autorenew when creating a cert, but this does not help with all certs currently created (there are quite a few). Is there a way to simply disable auto-renew?
Up to date versions of Certbot have the reconfigure subcommand (since 2.3.0 but preferably use 2.9.0 or later due to a bug in the reconfigure subcommand using the production environment for testing in versions 2.8.0 and earlier) and I'm guessing you should be able to use that subcommand to configure all certificates with the --no-autorenew option.
Please note that Certbot somehow does not have the --autorenew option which is kinda silly and also known with the Certbot team. Unfortunately they have no interest in adding this simple flag for reasons I don't understand. So if you do use the --no-autorenew option, you can only start autorenewing certs again by manually editing renewal configuration files............
Also, are you familiar with the --deploy-hook option? Which is usually used for post-issuance scripts. Most of the time, separating deploy scripts from Certbot is not a very good idea.
Also also, how is Certbot messing up your system exactly? Because you say visitors are getting out of date certs.. But how could Certbot be responsible for that?