Switch to production server does not work

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot certonly -v
--preferred-challenges dns
--manual-auth-hook "./../validate.sh"
--deploy-hook "./../deploy.sh "
--manual-cleanup-hook "./../cleanup.sh "
--server https://acme-v02.api.letsencrypt.org/directory
--email ...
--domain $DOMAIN

It produced this output:
I used this command with flag --test-cert before. I was able to update let's encrypt staging certificates on my Azure key vault with that.
Then I removed flag --test-cert and added flag --server https://acme-v02.api.letsencrypt.org/directory. I wanted to replace the staging certificate with a production certificate.
This does not work. I still only get staging certificates.

The command is called in a Github action workflow on a Github runner with static IP.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I do not know. In the Github workflow certbot is installed like: sudo snap install certbot --classic before the command from above is called.

You need to remove that from your command. It doesn't usually fix whatever you were hoping that it would fix and tends to create new problems that you were not expecting.

I'm not familiar with your workflow, so please wait for someone to respond with further suggestions.


I see you got a production cert today. But, that domain is using one that is much older on HTTPS. You need to review your deployment scripts to see why it did not update your web service.

As for --force-renewal I agree with @linkp that you should avoid using that. But, when trying to replace a test cert with a production cert it is sometimes necessary to use --force ONCE. Sometimes Certbot sees a recent test cert and won't renew without that. Now that you have replaced it you should not use it any more as it will likely cause you to become rate limited.

Here is the production cert from today:


Hi there,
thanks a lot to @linkp and @MikeMcQ for your answers and your help. It is good for me to learn about the usage of --force-renewal. I was actually one the wrong track regarding my issue. In fact I got the correct productive certificate into my Key Vault. I was not able to the see that correctly because there seems to be issue with Azure Key Vault displaying certificate details (Azure Key Vault PFX import not showing correct certificate details - Microsoft Q&A) when it comes to EC coded certificates. So certbot works fine.

Thanks a lot again.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.