That's not true:
server ~ # certbot certificates
(...)
Certificate Name: le-test-01.example.com
Serial Number: ...
Domains: le-test-01.example.com
Expiry Date: 2021-01-04 09:35:25+00:00 (INVALID: TEST_CERT)
Certificate Path: /etc/letsencrypt/live/le-test-01.example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/le-test-01.example.com/privkey.pem
(...)
server ~ # certbot certonly -a apache --cert-name le-test-01.example.com -d le-test-01.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to read ssl_module file; not disabling session tickets.
Plugins selected: Authenticator apache (1.8.0.dev0), Installer None (None)
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/le-test-01.example.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
The output is different when adding a domain, but it still asks you what to do:
server ~ # certbot certonly -a apache --cert-name le-test-01.example.com -d le-test-01.example.com -d le-test-02.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to read ssl_module file; not disabling session tickets.
Plugins selected: Authenticator apache (1.8.0.dev0), Installer None (None)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate le-test-01.example.com to include new
domain(s):
+ le-test-02.example.com
You are also removing previously included domain(s):
(None)
Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel:
So I don't really understand your fascination with --keep-until-expiring
.. Or I'm really missing something.. (But I don't think I do, as the examples above clearly state.)