I am experiencing a strange issue with the certificate renewal.
So I used certbot to perform a certificate renewal like i have done dozens of times before. however this time it threw an error saying it could not write to the file in archive/domain-name/private2.pem because it already exists and didnt complete.
So i went in to that directory and renamed that file. I then reissued the command again (in the past in the case of errors it runs through again without having to do the challenge and just downloads the certificate files.
This time it downloaded the old certificate with the expiry tomorrow. I have played around with it each time it keeps presenting me with a certificate with less than a days life on it.
Now it is telling me "too many certificates (5) already issued for this exact set of domains in the last 168 hours"
This to me looks like an issue was originally on my side but the subsequent errors are on the Lets Encrypt side not locally looking at the original renewal logs the chain it presented the first time that it didnt write to the certificate files has the expiry in 3 months, the subsequent chain blocks visible in the logs when extracted and run an openssl x509 query on them comes back with the expiry of tomorrow.
When you say "it's presenting you" do you mean the files on disk are old (and their filetimes are new) or do you mean your webserver is serving the old cert?
I mean the certificate that it generates contains the old certificate in new files. and in the letsencrypt.log file the chain in there has an expiry date of 08/08/2024
2024-08-07 13:30:27,894:DEBUG:certbot._internal.display.obj:Notifying user:
Successfully received certificate.
Certificate is saved at: live/domain-name/fullchain.pem
Key is saved at: live/domain-name/privkey.pem
This certificate expires on 2024-08-08.
Thanks, the files are /live/domain-name should be symbolic links (you should see that if you run ls -al under live. These in turn should point to the latest /archive/domain-name files, so check that the symbolic links look ok and check that the files under /archive/domain-name are updating as expected.
I don't know that certbot can download old certificates (perhaps it can) but it would seem more likely that it's failing to update the /live links and perhaps there is a permissions issue such as running certbot under different user accounts.
The problem you describe sounds like there were manual changes to the .../live/ symlinks and/or the .../archive/ folder. Sometimes people have modified or adjusted these files without doing all that is needed which includes the renewal profile too. Is it possible someone did that?