I tried the auto-renew feature, but it does not work in manual mode. They intend it to be run automated and unattended, but I can't do that because I want to use the certificate on google app engine.
So basically, you have to re-issue the certicate , which means updating the challenge response on your website.
Well, I did all that, and generated a new certificate.
Unfortunately it expires the same time as the certificate I want to replace... WTF?
Anyway, I cleaned out /etc/letsencrypt and tried again from scratch:
sudo ./letsencrypt-auto certonly -a manual --rsa-key-size 2048 --email firstname.lastname@example.org -d mydomain.org.au
and this time it generated me a certificate with the correct expiry date.
Then I have to convert the format for google app engine:
openssl rsa -inform pem \
-in /etc/letsencrypt/live/mydomain.org.au/privkey.pem \
-outform pem > /etc/letsencrypt/live/mydomain.org.au/privkey_fixed.pem
and we are good.
This time I documented it so I can rmember in 90 days time when I need to renew it again!