Letsencrypt certificate not refreshing after a valid test against staging

[jmartens]

The problem

After testing succesfully against the staging area Letsencrypt addon refuses to update the
certificate when removing the acme_server staging url and reverting to the default (production) url.

Environment

• Add-on with the issue: Lets Encrypt
• Add-on release with the issue: latest
• Last working add-on release (if known): N/A
• Operating environment (OS/Supervised): hassio

Problem-relevant configuration

Production configuration:

email: ******@******.**
domains:
  - ****.*****.**
certfile: fullchain.pem
keyfile: privkey.pem
challenge: http
dns: {}

Staging configuration

email: ******@******.**
domains:
  - ****.*****.**
certfile: fullchain.pem
keyfile: privkey.pem
challenge: http
dns: {}
acme_server: 'https://acme-staging-v02.api.letsencrypt.org/directory'

Traceback/Error logs

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] file-structure.sh: executing... 
[cont-init.d] file-structure.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[16:39:48] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal
Keeping the existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Additional information

Upon inspection of the certificate it can be seen that the certificate stems from the staging environment:

 /ssl openssl x509 -in fullchain.pem -text | grep "Authority Information Access" -A 2
            Authority Information Access:
                OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org
                CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/

[jmartens]

For now I have solved it by removing the addon and reinstalling it. Redo configuration for production and run it again.

/ssl openssl x509 -in fullchain.pem -text | grep "Authority Information Access" -A 2
            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

As a suggestion I think it would be a nice addition if you are to properly implement the option to use the --dry-run option to test before running the actual run to generate the valid certificate.
That should prevent issues like this and would not be to hard to implement IMHO, by adding a simple additional configuration parameter and adding the --dry-run parameter to the command line when testing is specified.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kielerrr]

Explicitly setting the le caserver to production worked for me.

change:
- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
to:
- "--certificatesresolvers.letsencrypt.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"