Account not found only in cron. Dry run works fine

Hi,

I'm not getting any results and have been trying for a while. My certbot renew --dry-run is working fine but whenever I use the crontab to automate my renewal it says my account is not found. I don't know why (recently moved to debian 10 to get rid of the depreceated certbot-auto script).

My domain is: applyai.de

I ran this command: From the crontab: /usr/bin/certbot renew --nginx-server-root /etc/nginx --nginx-ctl /usr/sbin/nginx

It produced this output:

2021-04-03 10:46:35,459:INFO:certbot.storage:Attempting to parse the version 0.36.0 renewal configuration file found at /etc/letsencrypt/renewal/applyai.de.conf with version 0.31.0 of Certbot. This might not work.
2021-04-03 10:46:35,461:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-11-03 11:29:31 UTC.
2021-04-03 10:46:35,461:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2021-04-03 10:46:35,461:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2021-04-03 10:46:35,608:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fc2e9357748>
Prep: True
2021-04-03 10:46:35,608:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fc2e9357748>
Prep: True
2021-04-03 10:46:35,608:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7fc2e9357748> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7fc2e9357748>
2021-04-03 10:46:35,608:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2021-04-03 10:46:35,609:WARNING:certbot.renewal:Attempting to renew cert (applyai.de) from /etc/letsencrypt/renewal/applyai.de.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/d8afb92217b7f4e5f57ce4d202f5e2a9 does not exist. Skipping.
2021-04-03 10:46:35,609:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1191, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 605, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 509, in _determine_account
    acc = account_storage.load(config.account)
  File "/usr/lib/python3/dist-packages/certbot/account.py", line 246, in load
    return self._load_for_server_path(account_id, self.config.server_path)
  File "/usr/lib/python3/dist-packages/certbot/account.py", line 215, in _load_for_server_path
    prev_loaded_account = self._load_for_server_path(account_id, prev_server_path)
  File "/usr/lib/python3/dist-packages/certbot/account.py", line 226, in _load_for_server_path
    "Account at %s does not exist" % account_dir_path)
certbot.errors.AccountNotFound: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/d8afb92217b7f4e5f57ce4d202f5e2a9 does not exist

My web server is (include version): nginx 1.14.2

The operating system my web server runs on is (include version): Debian 10

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Any help is appreciated.

What does sudo whereis certbot from the command line say?

Because it seems the certbot used in cron is using an older version of certbot (0.31.0 as you've stated) whereas the certificate was issued with version 0.36.0 according to the warning at the top of your output. There may be some certbot installation lingering around from your certbot-auto wrapper script time.

Also:

certbot.errors.AccountNotFound: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/d8afb92217b7f4e5f57ce4d202f5e2a9 does not exist

Your certbot is apparently using your old ACMEv01 account. Perhaps certbot version 0.36.0 handles that differently compared to the 0.31.0 you're using now.

Perhaps it's possible to use the recommended way of installing certbot, through snap? Instead of the ancient versions offered by the Debian repository. See: https://certbot.eff.org/lets-encrypt/debianbuster-nginx

What does sudo whereis certbot from the command line say?

certbot: /usr/bin/certbot

Sadly, I can't install it with snap because I'm using a LXC Container where snap cannot be installed without a chance of problems occuring with backups (information from the proxmox forum).

Can I tell my certbot to stop looking for that account? My etc/letsencrypt/accounts directory has v02 directories (and therefore: accounts) within it.

Not sure if this is easily done through some command line options to certbot, but you can manually modify the renewal configuration file /etc/letsencrypt/renewal/applyai.de.conf. It should include a line with account = <your ACMEv1 account hash>.

If you look at the /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/ directory, it should indeed have one or more accounts listed. The directory name(s) in that directory correspond with the hashes used in the renewal configuration file.

If you have multiple accounts listed in the /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/ directory, I'm not sure which one you would want to use. You could look at the regr.json files in the account directories to check the contact field, which contains the e-mail address used to register the account at the Let's Encrypt ACME server. Maybe you could use that to differentiate and choose an account.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.