cert-manager: Setting RenewBefore does not make certificate renewed

Describe the bug: I am trying to figure out how renewBefore works in the Certificate spec. I created a below certificate

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  generation: 1
  name: test-new.zhiminx.info
  namespace: default
spec:
  acme:
    config:
    - dns01:
        provider: cloud-dns-provider
      domains:
      - '*.test-new.zhiminx.info'
  dnsNames:
  - '*.test-new.zhiminx.info'
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-issuer
  renewBefore: 2159h50m0s
  secretName: test-new.zhiminx.info
status:
  conditions:
  - lastTransitionTime: "2019-03-28T05:06:56Z"
    message: Certificate is up to date and has not expired
    reason: Ready
    status: "True"
    type: Ready
  notAfter: "2019-06-26T04:06:55Z"

And the ClusterIssuer uses ACME config.

The TLS secret of the Certificate was successfully issued.

Expected behaviour: I expect that at the timestamp notAfter - renewBefore, the corresponding secret of the certificate will be renewed, i.e. tls.crt and tls.key in the secret will be updated with new content.

In this case, the timestamp of notAfter - renewBefore is 2019-03-28T04:16. But I did not see any secret update at this timestamp.

Environment details::

• Kubernetes version: 1.11.7
• Cloud-provider/provisioner: GKE
• cert-manager version: release-0.6
• Install method (e.g. helm or static manifests): static manifests

kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/cert-manager.yaml --validate=false

/kind bug