Cannot renew an Ad Hoc profile before it expires because no certificate matches the certificate ID

Ad-Hoc Provisioning Profiles are composed of three main elements:

• Exactly 1 AppID
• The Public Key of your Distribution Certificate
• One or more Registered Test Device IDs

When you first generated this Provisioning Profile (about a year ago if your current one is expiring soon!), you instructed it to use your then current Distribution Certificate when constructing that provisioning profile -- the resulting Ad-Hoc Profile's expiration date is set to match the expiration of the Distribution Certificate as you can't launch an app signed with an expired certificate (Aside: This doesn't necessarily apply in Jailbroken scenarios...)

Your main question of 'Can it be fixed without revoking?' is a solid 'No' -- Even if you could make adjustments, the soon-expiring Distribution Certificate would cause the newly reissued Ad-Hoc Profile to have an expiry matching that of the Distribution Certificate. You'll be back in this same situation in 14 days when both your certificate and Provisioning Profile have both expired. Unfortunately at that time you'll also have a new problem, any existing builds you have out to your testers will no longer launch as the signing certificate and provisioning profile will have lapsed.

Instead, these last two weeks are your opportunity to be proactive and get your users migrated to a new build with a new Certificate and Provisioning Profile. With my own testers, I treat the last few weeks of my current Distribution Certificate as a migration window to get builds switched over and get my testers to download and install the latest test build so that they can keep going with their testing. The great news is that you caught your certificates expiring with more than enough time to get things straightened out and get your testers migrated -- some aren't so lucky and have to play catchup after things have expired and have testers shouting about your app crashing/no longer launching...definitely an undesirable outcome for any developer, especially if you are a one-person shop and having to coordinate both development and beta tester communications yourself.

So what do I have to do?

At a high level, doing the migration is nearly identical to getting this Ad-Hoc profile setup the first time -- It just requires cleaning up the old data from your Keychain and Provisioning Profiles as well as sending out some tester emails encouraging your team to upgrade once you make a new build available to them. At a high level this process looks like this:

1. Revoke your existing Distribution Certificate and reissue a new Distribution Certificate.
2. Delete the existing Distribution Certificate from your Keychain and install the new one.
3. Update and install the now 'Invalid' Ad-Hoc profile to use your newly created Distribution Certificate
4. Update Code Sign Build Settings if necessary.
5. Construct and issue your Ad-Hoc build to your testers.

Wait -- Won't revoking my existing certificate disrupt my testers?

Nope, not in the least bit! Your existing Ad-Hoc builds will continue to work perfectly well until after the expiration date because they have all the information they need to verify code signatures right inside the Ad-Hoc build you've already sent them. Once the certificate expires, however then things will fail to launch and you'll have screaming testers on your hands.

I'm going to assume that you are using an Individual account, so certificates will appear in the format "iPhone Developer: FirstName LastName" and "iPhone Distribution: FirstName LastName". If you are using a Company Account, then the format will be slightly different. I'm also going to assume that you only have your one account; if you are enrolled in multiple developer accounts, take extra care when searching for and deleting your existing certificates and profiles from Keychain as there may be multiple similar entries.

To begin, quit out of Xcode and then head over to developer.apple.com/ios login to the "Certificates, Identifiers & Profiles" area. This is formerly known as the "Provisioning Center".

Revoking and Reissuing the Distribution Certificate

1. Navigate to the Distribution Certificates Area.
2. Locate your soon-to-expire Distribution Certificate and revoke it. You'll likely encounter a message informing you that revoking this certificate will invalidate any linked provisioning profiles -- that is entirely expected and OK. In fact, that is exactly what we want it to do so that you can get things updated!
3. Click the 'Add' button in the upper right corner and walk through the steps to make a new "App Store and Ad Hoc" Distribution Certificate. Download the file to your machine, but don't install it just yet -- we should clean up the old certificate from your Development Machine first.

Deleting the Revoked Certificate and Installing the New Certificate

1. Open Keychain Access and search for 'iPhone Distribution'.
2. Delete any blue certificates that match 'iPhone Distribution'. The certificate icon may also show a red 'X' indicating that it is either expired or revoked. These may be cleaned up as well as they are no longer of use.
3. Double-click the newly downloaded certificate and install it.

Edit the Ad-Hoc Provisioning Profiles

1. Navigate to the Distribution Provisioning Profiles section and locate your Ad-Hoc Profile.
2. Edit that profile updating the test device list if necessary.
3. Click Generate and download the newly created Provisioning Profile. If the Generate button is disabled check that there are no special characters in the Provisioning Profile's name and that you've selected at least one test device.
4. Drag and drop the newly downloaded provisioning profile on to Xcode. Any old versions of the profile may be deleted from Organizer.

At this point you should be back in business and ready to update Code Sign settings if necessary (that is, if you set them to match a specific profile instead of using the Automatic Profile Selector option you'll need to update that setting to point to the now current version of your Provisioning Profile).

Again, you are fortunate in that you are taking steps to get this issue fixed while you testers are still able to use your app and not having to rush or hurry to get this done. Take your time and make sure to cleanup the older certificates and expiring provisioning profiles to make it easier for Xcode to figure out that you want it to use the newest profile.