If --renew --force and --staging are enabled, if certificate was using prod api it will ignore --staging flag

[maonat]

Certificates are forcibly renewed with production api even though --staging is being set.
If we have conf file having production API, it will ignore the staging API and proceed with the renewal if --force parameter is used.

I ended up having my domain blocked for the next 20ish hours just because of me issuing by mistake to letsencrypt the same domain multiple times when I though I was working with staging.

It would be good to have an information saying that during the script or at least having some prompt to inform the user and ask if they want to proceed?

Steps to reproduce

In my case I'm using dns_azure, this should happen with every other DNS providers

1. Issue new certificate in production mode acme.sh --issue-d "my.domainzzz.xyz" -d "*.my.domainzzz.xyz" --dns dns_azure --debug 2
2. Renew it by forcing it and adding the --staging parameter. After the execution, check the conf file to see the letsencrypt api not being staging --> acme.sh --staging --renew -d "my.domainzzz.xyz" -d "*.my.domainzzz.xyz" --dns dns_azure --force --debug 2
3. Eventually end up being blocked by letsencrypt

Debug log

[Sun Dec 8 22:47:47 CET 2024] Let's find the script directory.
[Sun Dec 8 22:47:47 CET 2024] SCRIPT='/Users/username/.acme.sh/acme.sh'
[Sun Dec 8 22:47:47 CET 2024] _script='/Users/username/.acme.sh/acme.sh'
[Sun Dec 8 22:47:47 CET 2024] _script_home='/Users/username/.acme.sh'
[Sun Dec 8 22:47:47 CET 2024] Using config home: /Users/username/.acme.sh
[Sun Dec 8 22:47:47 CET 2024] LE_WORKING_DIR='/Users/username/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.1.0
[Sun Dec 8 22:47:47 CET 2024] Running cmd: renew
[Sun Dec 8 22:47:47 CET 2024] _renewServer
[Sun Dec 8 22:47:47 CET 2024] Using config home: /Users/username/.acme.sh
[Sun Dec 8 22:47:47 CET 2024] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Sun Dec 8 22:47:47 CET 2024] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
[Sun Dec 8 22:47:47 CET 2024] _ACME_SERVER_HOST='acme-staging-v02.api.letsencrypt.org'
[Sun Dec 8 22:47:47 CET 2024] _ACME_SERVER_PATH='directory'
[Sun Dec 8 22:47:47 CET 2024] The domain 'my.domainzzz.xyz' seems to already have an ECC cert, let's use it.
[Sun Dec 8 22:47:47 CET 2024] DOMAIN_PATH='/Users/username/.acme.sh/my.domainzzz.xyz_ecc'
[Sun Dec 8 22:47:47 CET 2024] Renewing: 'my.domainzzz.xyz'
[Sun Dec 8 22:47:47 CET 2024] Le_API='https://acme-staging-v02.api.letsencrypt.org/directory'
[Sun Dec 8 22:47:47 CET 2024] Switching back to https://acme-v02.api.letsencrypt.org/directory
[Sun Dec 8 22:47:47 CET 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sun Dec 8 22:47:47 CET 2024] initpath again.
[Sun Dec 8 22:47:47 CET 2024] Using config home: /Users/username/.acme.sh
[Sun Dec 8 22:47:47 CET 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sun Dec 8 22:47:47 CET 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sun Dec 8 22:47:47 CET 2024] _ACME_SERVER_PATH='directory'
[Sun Dec 8 22:47:47 CET 2024] _main_domain='my.domainzzz.xyz'
[Sun Dec 8 22:47:47 CET 2024] _alt_domains='.my.domainzzz.xyz'
[Sun Dec 8 22:47:48 CET 2024] 'dns_azure' does not contain 'dns'
[Sun Dec 8 22:47:48 CET 2024] 'dns_azure' does not contain 'dns'
[Sun Dec 8 22:47:48 CET 2024] Le_NextRenewTime='1738792021'
[Sun Dec 8 22:47:48 CET 2024] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Sun Dec 8 22:47:48 CET 2024] _init API for server: https://acme-v02.api.letsencrypt.org/directory
[Sun Dec 8 22:47:48 CET 2024] GET
[Sun Dec 8 22:47:48 CET 2024] url='https://acme-v02.api.letsencrypt.org/directory'
[Sun Dec 8 22:47:48 CET 2024] timeout=
[Sun Dec 8 22:47:48 CET 2024] _CURL='curl --silent --dump-header /Users/username/.acme.sh/http.header -L --trace-ascii /var/folders/qr/ksgh74rd1yg2pkx5b7wg2h3wz2b5y0/T/tmp.ZAmeYZ2Oqq -g '
[Sun Dec 8 22:47:48 CET 2024] ret='0'
[Sun Dec 8 22:47:48 CET 2024] response='{
"DRsIAd77x2M": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Sun Dec 8 22:47:48 CET 2024] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Sun Dec 8 22:47:48 CET 2024] ACME_NEW_AUTHZ
[Sun Dec 8 22:47:48 CET 2024] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sun Dec 8 22:47:48 CET 2024] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Sun Dec 8 22:47:48 CET 2024] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Sun Dec 8 22:47:48 CET 2024] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf'
[Sun Dec 8 22:47:48 CET 2024] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Dec 8 22:47:49 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Dec 8 22:47:49 CET 2024] _on_before_issue
[Sun Dec 8 22:47:49 CET 2024] _chk_main_domain='my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] _chk_alt_domains='.my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] 'dns_azure' does not contain 'no'
[Sun Dec 8 22:47:49 CET 2024] Le_LocalAddress
[Sun Dec 8 22:47:49 CET 2024] d='my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] Checking for domain='my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] _currentRoot='dns_azure'
[Sun Dec 8 22:47:49 CET 2024] d='.my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] Checking for domain='.my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] _currentRoot='dns_azure'
[Sun Dec 8 22:47:49 CET 2024] d
[Sun Dec 8 22:47:49 CET 2024] 'dns_azure' does not contain 'apache'
[Sun Dec 8 22:47:49 CET 2024] _saved_account_key_hash='redacted'
[Sun Dec 8 22:47:49 CET 2024] _saved_account_key_hash was not changed, skipping account registration.
[Sun Dec 8 22:47:49 CET 2024] Read key length: ec-256
[Sun Dec 8 22:47:49 CET 2024] _createcsr
[Sun Dec 8 22:47:49 CET 2024] domain='my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] domainlist='.my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] csrkey='/Users/username/.acme.sh/my.domainzzz.xyz_ecc/my.domainzzz.xyz.key'
[Sun Dec 8 22:47:49 CET 2024] csr='/Users/username/.acme.sh/my.domainzzz.xyz_ecc/my.domainzzz.xyz.csr'
[Sun Dec 8 22:47:49 CET 2024] csrconf='/Users/username/.acme.sh/my.domainzzz.xyz_ecc/my.domainzzz.xyz.csr.conf'
[Sun Dec 8 22:47:49 CET 2024] _is_idn_d='.my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] _idn_temp
[Sun Dec 8 22:47:49 CET 2024] domainlist='.my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] seg='my'
[Sun Dec 8 22:47:49 CET 2024] _is_idn_d='my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] _idn_temp
[Sun Dec 8 22:47:49 CET 2024] seg='README.md'
[Sun Dec 8 22:47:49 CET 2024] Multi domain='DNS:my.domainzzz.xyz,DNS:.my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] _is_idn_d='my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] _idn_temp
[Sun Dec 8 22:47:49 CET 2024] _csr_cn='my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] seg='my'
[Sun Dec 8 22:47:49 CET 2024] Getting domain auth token for each domain
[Sun Dec 8 22:47:49 CET 2024] seg='my'
[Sun Dec 8 22:47:49 CET 2024] _is_idn_d='my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] _idn_temp
[Sun Dec 8 22:47:49 CET 2024] d='.my.domainzzz.xyz'
[Sun Dec 8 22:47:49 CET 2024] seg='README.md'
[Sun Dec 8 22:47:50 CET 2024] _is_idn_d='.my.domainzzz.xyz'
[Sun Dec 8 22:47:50 CET 2024] _idn_temp
[Sun Dec 8 22:47:50 CET 2024] d
[Sun Dec 8 22:47:50 CET 2024] _identifiers='{"type":"dns","value":"my.domainzzz.xyz"},{"type":"dns","value":".my.domainzzz.xyz"}'
[Sun Dec 8 22:47:50 CET 2024] _notBefore
[Sun Dec 8 22:47:50 CET 2024] _notAfter
[Sun Dec 8 22:47:50 CET 2024] STEP 1, Ordering a Certificate
[Sun Dec 8 22:47:50 CET 2024] =======Sending Signed Request=======
[Sun Dec 8 22:47:50 CET 2024] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sun Dec 8 22:47:50 CET 2024] payload='{"identifiers": [{"type":"dns","value":"my.domainzzz.xyz"},{"type":"dns","value":".my.domainzzz.xyz"}]}'
[Sun Dec 8 22:47:50 CET 2024] EC key
[Sun Dec 8 22:47:50 CET 2024] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Dec 8 22:47:50 CET 2024] HEAD
[Sun Dec 8 22:47:50 CET 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Dec 8 22:47:50 CET 2024] body
[Sun Dec 8 22:47:50 CET 2024] _postContentType='application/jose+json'
[Sun Dec 8 22:47:50 CET 2024] _CURL='curl --silent --dump-header /Users/username/.acme.sh/http.header -L --trace-ascii /tmp_dir/some_file -g -I '
[Sun Dec 8 22:47:50 CET 2024] _ret='0'
[Sun Dec 8 22:47:50 CET 2024] _headers='HTTP/2 200
server: nginx
date: Sun, 08 Dec 2024 21:47:50 GMT
cache-control: public, max-age=0, no-cache
link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
replay-nonce: replay-nonce-value
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Sun Dec 8 22:47:50 CET 2024] nonce='replay-nonce-value'
[Sun Dec 8 22:47:51 CET 2024] POST
[Sun Dec 8 22:47:51 CET 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sun Dec 8 22:47:51 CET 2024] body='{"protected": "protected_value", "payload": "payload_value", "signature": "signature_value"}'
[Sun Dec 8 22:47:51 CET 2024] _postContentType='application/jose+json'
[Sun Dec 8 22:47:51 CET 2024] Http already initialized.
[Sun Dec 8 22:47:51 CET 2024] _CURL='curl --silent --dump-header /Users/username/.acme.sh/http.header -L --trace-ascii /tmp_dir/tmp.file -g '
[Sun Dec 8 22:47:51 CET 2024] _ret='0'
[Sun Dec 8 22:47:51 CET 2024] responseHeaders='HTTP/2 429
server: nginx
date: Sun, 08 Dec 2024 21:47:51 GMT
content-type: application/problem+json
content-length: 306
boulder-requester: 2101872457
cache-control: public, max-age=0, no-cache
link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
link: https://letsencrypt.org/docs/rate-limits;rel="help"
replay-nonce: replay-nonce-value
retry-after: 100218
'
[Sun Dec 8 22:47:51 CET 2024] code='429'
[Sun Dec 8 22:47:51 CET 2024] original='{
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2024-12-10 01:38:09 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames",
"status": 429
}'
[Sun Dec 8 22:47:51 CET 2024] response='{
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2024-12-10 01:38:09 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames",
"status": 429
}'
[Sun Dec 8 22:47:51 CET 2024] Le_LinkOrder
[Sun Dec 8 22:47:51 CET 2024] Le_OrderFinalize
[Sun Dec 8 22:47:51 CET 2024] Error creating new order. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2024-12-10 01:38:09 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames",
"status": 429
}
[Sun Dec 8 22:47:51 CET 2024] pid
[Sun Dec 8 22:47:51 CET 2024] No need to restore nginx config, skipping.
[Sun Dec 8 22:47:51 CET 2024] _clearupdns
[Sun Dec 8 22:47:51 CET 2024] dns_entries
[Sun Dec 8 22:47:51 CET 2024] Skipping dns.
[Sun Dec 8 22:47:52 CET 2024] _on_issue_err
[Sun Dec 8 22:47:52 CET 2024] Please add '--debug' or '--log' to see more information.
[Sun Dec 8 22:47:52 CET 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Sun Dec 8 22:47:52 CET 2024] _chk_vlist
[Sun Dec 8 22:47:52 CET 2024] 'dns_azure' does not contain 'dns'
[Sun Dec 8 22:47:52 CET 2024] Diagnosis versions:
openssl:openssl
OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.3.2 3 Sep 2024)
Apache:
Apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.8.0.0 on
running on Darwin version Darwin Kernel Version 24.1.0: Thu Oct 10 21:03:11 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T6020, release 24.1.0, machine arm64
features:
#define WITH_HELP 1
#define WITH_STATS 1
#define WITH_STDIO 1
#define WITH_FDNUM 1
#define WITH_FILE 1
#define WITH_CREAT 1
#define WITH_GOPEN 1
#define WITH_TERMIOS 1
#define WITH_PIPE 1
#define WITH_SOCKETPAIR 1
#define WITH_UNIX 1
#undef WITH_ABSTRACT_UNIXSOCKET
#define WITH_IP4 1
#define WITH_IP6 1
#define WITH_RAWIP 1
#define WITH_GENERICSOCKET 1
#undef WITH_INTERFACE
#define WITH_TCP 1
#define WITH_UDP 1
#define WITH_SCTP 1
#undef WITH_DCCP
#undef WITH_UDPLITE
#define WITH_LISTEN 1
#undef WITH_POSIXMQ
#define WITH_SOCKS4 1
#define WITH_SOCKS4A 1
#define WITH_SOCKS5 1
#undef WITH_VSOCK
#undef WITH_NAMESPACES
#define WITH_PROXY 1
#define WITH_SYSTEM 1
#define WITH_SHELL 1
#define WITH_EXEC 1
#define WITH_READLINE 1
#undef WITH_TUN
#define WITH_PTY 1
#define WITH_OPENSSL 1
#undef WITH_FIPS
#undef WITH_LIBWRAP
#define WITH_SYCLS 1
#define WITH_FILAN 1
#define WITH_RETRY 1
#define WITH_MSGLEVEL 0 /debug/
#define WITH_DEFAULT_IPV 0

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.