You've asked to renew/replace a seemingly valid certificate with a test certificate, We will not do that unless you use the --break-my-certs flag!

Hi !
I have a problem when renew my existing certificates in staging env.
I am using certbot 1.9.0.
The server is

And the error is

command exec failed:/usr/local/lib/python2.7/dist-packages/OpenSSL/ CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography import utils, x509
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in environment variables.
Plugins selected: Authenticator dns-route53, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
You've asked to renew/replace a seemingly valid certificate with a test certificate (domains:, *, *, *, *, *,,,, We will not do that unless you use the --break-my-certs flag!

Can anyone help on this?

You probably want to use --dry-run, which uses the staging environment, instead of the --server option you're probably using currently.

By the way, Python 2.7? What gives?


Hi @XuelinMao, and welcome to the LE community forum :slight_smile:

Did you use the --staging flag?

Please show the complete certbot command used.


let me try it. My command is below, preferChain is ISRG Root X1

	bin := "certbot"
	args := []string{
1 Like

whats in acmeServer variable?


why you want to renew it by staging api? you'd know it'd now trusted by clients:


Tried but not work, still the same error

Don't use the --staging flag - you won't get a real cert from it [only a test/staging cert].


yes, I know. just in case that the same error happens in our live env

1 Like

What shows?:
certbot certificates

You may have installed a real cert in your testing env.


from certbot repo line 323-333

def _avoid_invalidating_lineage(config: configuration.NamespaceConfig,
                                lineage: storage.RenewableCert, original_server: str) -> None:
    """Do not renew a valid cert with one from a staging server!"""
    if util.is_staging(config.server):
        if not util.is_staging(original_server):
            if not config.break_my_certs:
                names = ", ".join(lineage.names())
                raise errors.Error(
                    "You've asked to renew/replace a seemingly valid certificate with "
                    f"a test certificate (domains: {names}). We will not do that "
                    "unless you use the --break-my-certs flag!")

it looks like It think last server was prod? but I don't see your domain on so it may be bug determine your old linage was staging or prod


So if there is a real cert, will affect every test cert?
We have lots of certificates in our staging env, Orz

There is no need to guess, let's see what there is:


there are too many, show two of them:

 Certificate Name: wildcard.nonlive.333-jiaxuan-cert-test-shopee-systems.api
    Serial Number: fa5393b1b060ca55889de7371281f798aefc
    Domains: * * * * *
    Expiry Date: 2023-11-13 07:44:03+00:00 (INVALID: TEST_CERT)
    Certificate Path: /etc/letsencrypt/live/wildcard.nonlive.333-jiaxuan-cert-test-shopee-systems.api/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wildcard.nonlive.333-jiaxuan-cert-test-shopee-systems.api/privkey.pem
  Certificate Name: wildcard.nonlive.3q6vqyz-albauto-shopee-sg.api
    Serial Number: fa143a6e49fc36203952f0fb917fb5769fe5
    Domains: * * * * *
    Expiry Date: 2023-11-08 05:07:00+00:00 (INVALID: TEST_CERT)
    Certificate Path: /etc/letsencrypt/live/wildcard.nonlive.3q6vqyz-albauto-shopee-sg.api/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wildcard.nonlive.3q6vqyz-albauto-shopee-sg.api/privkey.pem

and I also checked that all certs show INVALID: TEST_CERT

1 Like

OK, then that most likely means that you have indeed found a bug in the certbot code.

Just to be :100: certain, please show:
certbot certificates | grep Expiry

If that is really long, then:
certbot certificates | grep Expiry | grep -v TEST_CERT


If you think you've found a bug in Certbot, please first upgrade to the most recent Certbot version (2.7.2) and check if the problem persists.

1 Like

Does the most recent even support Python 2.7 ?

Of course, snap would be usually be better. @XuelinMao see if you do need to upgrade


No, "of course" not. But it's rather a catch 22: if you think you've found a bug, you'd need to make sure it's also present in the most recent versions and not already fixed. But if you can't upgrade, you can't test that. So you're stuck.

Python 2.7 doesn't get security upgrades since 2020 any longer, so there's absolutely no reason to continu using it. Any legacy software requiring Python 2.7 should either be ported, upgraded or discarded IMO.