[Bug]: Misleading auto-renewal message when using a custom --config-dir

[arsalanyavari]

OS

Ubuntu 24.04

Installation method

apt

Certbot Version

2.9.0

What happened?

When a certificate is obtained using a custom --config-dir, Certbot still prints:

Certbot has set up a scheduled task to automatically renew this certificate in the background.

However, the preconfigured systemd renewal service installed by the Ubuntu apt package runs a normal certbot renew command without the same --config-dir. As a result, the newly issued certificate is not visible to certbot renew or certbot certificates unless the same --config-dir is passed again.

This makes the message misleading, because it says "this certificate" will be automatically renewed, while the preconfigured renewal job does not actually cover that certificate.

This is related to #9931, but it is not exactly the same issue. In that issue, the problem is that the auto-renewal job may not exist at all. In this case, the auto-renewal job does exist, but it runs without the custom --config-dir, so it does not renew the certificate created under that custom config directory.

more info about service configuration:

/etc/letsencrypt/cli.ini contains:

preconfigured-renewal = True

The installed systemd service is:

# systemctl cat certbot.service
# /usr/lib/systemd/system/certbot.service

[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://certbot.eff.org/docs

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew --no-random-sleep-on-renew
PrivateTmp=true

Steps to reproduce

certbot certonly \
  -d <DOMAIN> \
  --config-dir <DIR_PATH>

After the certificate is successfully issued, Certbot prints:

Certbot has set up a scheduled task to automatically renew this certificate in the background.

However, the systemd renewal service installed by the apt package runs:

However, the systemd renewal service installed by the apt package runs It does not pass --config-dir <DIR_PATH>.

Therefore, the certificate stored under the custom config directory is not included in the normal renewal run.

Expected behavior

When a certificate is issued with a custom --config-dir, Certbot should not unconditionally print:

Certbot has set up a scheduled task to automatically renew this certificate in the background.

because the existing preconfigured renewal service may not cover that certificate.

A better message would be something like:

This certificate was created using a custom --config-dir. The preconfigured renewal task may not renew this certificate unless it also runs certbot renew with the same --config-dir.

To include this certificate in automatic renewal, configure your scheduled renewal task to run:

  certbot renew --config-dir /some/custom/path

Relevant log output

Successfully received certificate.
Certificate is saved at: /root/certificate/live/domain.com/fullchain.pem
Key is saved at:         /root/certificate/live/domain.com/privkey.pem
This certificate expires on 2026-07-31.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -