Wandering Thoughts archives

2023-01-22

How Let's Encrypt accounts are linked to your certificates in Certbot

If life is simple, every machine you run will have its own Let's Encrypt account and you'll never do things like copy or move a TLS certificate (and possibly much or all of /etc/letsencrypt) from one machine to another. If you do wind up moving LE TLS certificates and perhaps all of Certbot's /etc/letsencrypt, you can wind up with shared Let's Encrypt accounts or stranded TLS certificates, and you may want to straighten this out. Certbot doesn't really document how accounts are set up and how they connect to certificates, that I've seen, so here are notes on the pragmatic bits I've had to work out.

In theory, starting from Certbot 1.23 you can find out information about your accounts with 'certbot show_account'. In practice, Ubuntu 22.04 LTS still has Certbot 1.21, and show_account doesn't show you one critical piece of information, namely Certbot's local identifier for the account. So instead you have to look under /etc/letsencrypt, where in accounts/acme-v02.api.letsencrypt.org/directory/ you will find one subdirectory per production LE account you have. Each account (ie subdirectory) has a name that's 32 hex digits, which is Certbot's (internal) name for this account. In each account's subdirectory, the meta.json will give you some basic information about the account, currently the creation date and hostname, although not necessarily the email address associated with it (which 'certbot show_account' can retrieve from Let's Encrypt).

Issued TLS certificates aren't directly tied to a Let's Encrypt account by Certbot. Instead, what's tied to the account is the renewal. Each TLS certificate has a /etc/letsencrypt/renewal/<name>.conf file, and one of the things listed in each file is the account that Certbot will try to use to renew the certificate:

# Options used in the renewal process
[renewalparams]
account = baf3e1c5a7[...]
authenticator = standalone
[...]

If the account isn't found under /etc/letsencrypt/accounts at renewal time, Certbot will fail with an error. To change the account used for renewal, you just edit the 'account =' line, which is where you really want to know the Certbot account name (those 32 hex digits) of the right account. As far as I know there is no Certbot command to do this by itself, although possibly if you re-request a TLS certificate for the names, Certbot will update the configuration file to use the account you have available.

If you have more than one Certbot account on a host (for example because you merged a locally created /etc/letsencrypt with one from another server), Certbot commands like 'certbot certonly' will pause to ask you what account to use (presenting you with useful information about each account, so you can make a somewhat informed choice). If this is annoying to you, you need to remove all but one account and then make sure all of your TLS certificates are being renewed by that account, generally by editing their files in /etc/letsencrypt/renewal.

(I understand why Certbot is this way, but I wish there was a 'certbot fixup' command that would just do all of these updates for you. Along with a Certbot command specifically to change the status of certificate renewal between 'standalone' and 'webroot'. It would make life simpler for system administrators, or at least us.)

sysadmin/LetsEncryptCertbotAccounts written at 21:44:43; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.