The client’s online help states the following about the --keep option:
--keep-until-expiring, --keep, --reinstall If the requested cert matches an existing cert, always keep the existing one until it is due for renewal (for the 'run' subcommand this means reinstall the existing cert) (default: False)
At what time does a certificate become due for renewal? Presumably at latest on the day of expiry, but whether this is earlier is not at all clear.
I had the same question and was unable to find an answer in the documentation or in the forum. So I tried to figure it out by reading the source code. Unless I’m mistaken, --keep will renew the certificate it there are fewer than 10 days left until expiration date, and the number is configurable by setting the “renew_before_expiry” configuration option to something otter than the default (which is “10 days”).
While digging through the code to determine the exact process for autorenewal for my clients, I found the default is actually 30 days, as defined in the “RENEWER_DEFAULTS” constants. The 10 days in the get call is basically a fallback value in the case that it isn’t defined in the configs.
You can set a custom renewal before time by editing the applicable config file in /etc/letsencrypt/renewal/ for any existing certificates you have. For new certificates you create (not renewals) create /etc/letsencrypt/renewer.conf and put in the values you want to set. The parameters defined in that file are merged into the certificate-specific configuration file when it’s created.