About ACME Accounts

Help
1

I used to create certs for testing, and I use and issue a lot of 'em and also revoke those I deem unwanted anymore, and rebuild my cloud server from scratch when something goes wrong. so those acme accounts each time I rebuild the cloud server are gone forever since I just don't bother about those acme accounts, but I think, should't it be nicer if we can:

a) regain those accounts so we don't have to re-validate the domains that we own or,
b) delete all accounts that are bounded with our email address or,
c) delete all accounts that are bounded with our domain,

or is it just fine for those acme accounts lost and people can create many acme accounts and don't bother about it at all?

Thanks in advance :slight_smile:

A curious user.

2

You shouldn't use ephemeral storage, but keep the account credentials somewhere permanent so it can be re-used. The way you're acting now sounds very wasteful to me.

6 Likes
3

Please also take a look at the Storing and Reusing Certificates and Keys of the integration guide. Keep your keys in a persistent way, like other configuration data, even if your server is an ephemeral "cloud" instance.

Also, be sure you're using the Staging Environment for testing.

5 Likes
4

"You shouldn't use ephemeral storage"

what does that mean?

and how exactly can i backup the account credentials? which folder do i need to do the backup

I agree it's wasteful because I create acme accounts every time I replace the root storage of my instance. :sweat_smile:

5

from a quick read, is it the storage my instance is using? if so, then should I generate the certs on my pc instead of on the instance?

6

How do you store the things that don't go away when you "replace the root storage", like content for your site or the configuration of your web server? The keys you use should be stored in the same kind of way, so that the script that sets up your server pulls the keys too.

That depends a lot on what ACME client you use. Not all of them deal with this sort of use case particularly well.

That might be a way to have things work, but it may just be overcomplicating things.

6 Likes
7

I simply just use certbot, and just found a way to backup the acme account lol.

Yeah this might save a lot of headaches, thanks for the suggestion.

Big thanks for the folks that helped me, wasn't expecting a fast reply :slight_smile:

1 Like
8

For Certbot, you should store /etc/letsencrypt/ in a permanent way.

5 Likes
9

got it right there, thanks man :+1:

2 Likes
10

Please do NOT revoke certs simply because they are unwanted.

6 Likes
11

I wouldn't worry too much about abandoning old ACME accounts which you don't have the key for anymore.

I would say it's more important to keep your account key secure than to back it up, so you may decide to simply get a new account when you build a new server.

There's very little ongoing cost to Let's Encrypt for old, idle accounts. Some day we may even delete inactive accounts (say, after a few years of disuse), but we haven't made plans for that yet as it's not been a big problem.

6 Likes
12

I see, though I'll try to reduce the times I request ACME accounts by any means necessary, big thanks for the help given :slight_smile:

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.