Hi,
I’ve accidentally deleted ‘accounts’ folder from letsencrypt directory. I don’t have a backup. So source of ‘accounts’ directory is lost. As I know it’ll not possible to renew certificates after that.
Can you please tell me how should I deal with this situation?
Many thanks
Hi @devis,
This accident doesn’t prevent you from getting new certificates in the future, because the ability to get a certificate for a particular domain name is not linked to an account. However, it will indeed interfere with the certbot renew functionality because the account that is to be used for each renewal is recorded in the associated file in /etc/letsencrypt/renewal.
There is no built-in way to recover from this condition automatically in Certbot. You could delete all of /etc/letsencrypt and start over, but this may break your web server configuration if any of the existing certificates are in active use on the server. If you instead want to continue using and renewing your existing certificates, you could try the following:
/etc/letsencrypt/accounts directory (this step is probably not necessary)certbot register
sudo ls -l /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory (it will be a 32-character hexadecimal string)/etc/letsencrypt/renewal and find the line that defines account. For each such line, change the account ID there (referring to your old deleted account), updating it to make it reflect the new account ID instead.After this, certbot renew should most likely be able to work again.
Hi,
Thank you! I’ll try it.
One more question. Does files from ‘archive’ folder take part in renewal procedure? Or it is only for storing used keys?
Thanks
It stores past certificates and keys, and the current ones. /etc/letsencrypt/live contains symlinks to the most recent files in /etc/letsencrypt/archive.
When renewing, Certbot will read the old (current) certificate to figure out what names to use for the new certificate.
Moreover, when saving the new certificate and private key files, Certbot may malfunction if the files are in disarray. It's not designed to be completely robust when its storage is corrupt.
Why do you ask? If /etc/letsencrypt/archive is damaged, it's probably possible to reconstruct it, but it would be easier to delete the affected certificate's files (including the /etc/letsencrypt/renewal/ file) and issue a fresh one. (Unless the rate limits will prevent it.)
Hi,
Thank you for answer.
Yes, /etc/letsencrypt/archive is damaged too.Only 'accounts' and 'archive' folders are damaged. What is the way to reconstruct archive? I know that creating fresh one will be better idea but I'm worrying that my web-site will break. Recreating will be the last step I'll make if recovering procedure will not help.
Thank you very much
What Certbot plugin are you using to authenticate to the CA? Is your web site currently broken due to the deleted certificates and keys?
Hi,
I’m using following letsencrypt packages:
root@host:~# pip show letsencrypt
Name: letsencrypt
Version: 0.7.0
Summary: ACME client
Home-page: https://github.com/letsencrypt/letsencrypt
Author: Certbot Project
Author-email: client-dev@letsencrypt.org
License: Apache License 2.0
Location: /usr/local/lib/python2.7/dist-packages
Requires: certbot
root@host~:# pip show certbot
Name: certbot
Version: 0.13.0
Summary: ACME client
Home-page: https://github.com/letsencrypt/letsencrypt
Author: Certbot Project
Author-email: client-dev@letsencrypt.org
License: Apache License 2.0
Location: /usr/local/lib/python2.7/dist-packages
Requires: zope.interface, pyrfc3339, setuptools, cryptography, zope.component, pytz, ConfigArgParse, configobj, six, PyOpenSSL, argparse, acme, mock, parsedatetime
About archive. I’ve restored all keys and certificates. I’ve used @Osiris advice from this topic: Restore pem files
I downloaded all certificates form https://crt.sh and compared it with keys from keys/ directory. Keys matched all certificates. Currently my web-site is running.
Now I want to restore accounts (with advice you gave me) but still worrying if it’ll work.
I have letsencrypt repo on another node for another web-site and there is no any damaged folders. Maybe it can help me to restore accounts on current node?
Many thanks
It's not directly relevant, but can I ask, how come Certbot is version 0.13.0? The current release is 0.19.0.
Also, was it installed via pip? It's encouraged to use certbot-auto or OS package instead.
Congrats! 
Probably not... This sounds weird, but unless you copied the /etc/letsencrypt/accounts/ directory originally, you have multiple, different accounts. (Which is normal and okay.)
If you copy the account now, or if you register a new account, either way you'll have to edit the /etc/letsencrypt/renewal/ files as @schoen explained above.
If you did copy the account before, yes, copying it again is a good idea. 
Hi,
Thanks for reply 
I see some ways how to handle this issue (except of all certificates recreating):
But I don’t familiar with renewal procedure and accounts folder content. Does account ID mentioned only in /etc/letsencrypt/renewal/ configs? I mean will not I get an error if I renew certificate with changed account ID in configs? Will it be possible to renew already created by old account ID certificate with new account ID? Will it be allowed to do this?
Another question. Just ask in hope that everything will be good to do such things with account ID. What should I know about accounts folder content? What is the private_key.json? Is it possible to have the same private_key.json for 2 accounts (in case of 2nd option of my proposal above)? I think everything is about 32-character hexadecimal code and I’m wondering if private_key.json might contain some hashed form of account ID (32-character code)?
So many questions. Sorry for bothering. I still hope I can fix it without a lot of pain 
Many thanks
There's nowhere else that Certbot uses this information, and there's nothing in the Let's Encrypt CA's policy that prevents you from renewing using a different account. So this part should not be a problem.
It's your account's RSA private key. Similar to the "privkey.pem" files for certificates, but... for your account, and JSON.
Can you use the same private key on two accounts? I'm not sure. I don't think so.
Can you use the same account on two computers? Absolutely.
If you copied over all of /etc/letsencrypt/accounts you'd have two computers using the same Let's Encrypt account. (Which is also fine.)
Hi,
Thank you all!
It helped for me to create new account using certbot register command and edit account ID in /etc/letsencrypt/renewal config files.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.