Acme.sh --dns and --accountemail directives

@Neilpang I'm a big fan of the acme.sh client, but the more familiar I become with it, questions start to pop up. I was going to PM you about these, but other community members may benefit from these questions, and your responses so I thought it better to submit my queries in the public forum space. First some platform details:

# acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.8.8
# freebsd-version
12.2-RC3

Can you please clarify the points below for me?

--dns

When using the DNS API, shell variables set for the DNS provider are saved for later reuse when the first certificate is issued.

Using the Cloudflare example provided:

acme.sh --issue --dns dns_cf -d example.com -d www.example.com

The CF_Key and CF_Email or CF_Token and CF_Account_ID will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Because these variables have been saved, I'd just like to confirm that --dns then becomes redundant when issuing subsequent certificates? So, for example --dns dns_cf is then implied in the command below:

acme.sh --issue -d sub.example.com

Adding it in has no effect either:

acme.sh --issue --dns mumbo-jumbo -d sub.example.com

If I want to change DNS provider, I must then edit ~/.acme.sh/account.conf directly.

--accountemail

In the example for an advanced installation of acme.sh, --accountemail is the email used to register an account with Let's Encrypt, and where renewal notices will be sent.

Is there a way to test this functionality without waiting 60 days?

My query arises because it's not clear to me where the email details are stored from the installation and how it's used. For example, if I install acme.sh as follows:

./acme.sh --install --config-home /config --accountemail "myemail@example.com"

I see evidence of the /config, but not the email when I issue the command below.

# cat ~/.acme.sh/acme.sh.csh
setenv LE_WORKING_DIR "/root/.acme.sh"
setenv LE_CONFIG_HOME "/config"
alias acme.sh "/root/.acme.sh/acme.sh --config-home '/config'"

There's no evidence of the email in ~/.acme.sh/account.conf either, or in cron.

# crontab -l
59 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --config-home "/config" > /dev/null
1 Like

I'd just like to confirm that --dns then becomes redundant when issuing subsequent certificates?

No. what if you want to use another dns api?

If I want to change DNS provider, I must then edit ~/.acme.sh/account.conf directly.

Never do that. it's not recommended to edit it manually. The variable's names are not promised to be constant.

Is there a way to test this functionality without waiting 60 days?

No, this is the CA's behavior: how or when the certificate expiring notice will be sent.
Don't rely on the CA's notifications. This is not a part of the ACME RFC 8555. A CA may choose never to notify you.

If you want a reliably notification, please use our --set-notify feature: https://github.com/acmesh-official/acme.sh/wiki/notify

where the email details are stored from the installation and how it's used. For example, if I install acme.sh as follows:

The should be saved in $LE_CONFIG_HOME/account.conf.

1 Like

I see. So it's important if I use multiple DNS providers?

Why I've raised this is that on a subsequent issue of a certificate, I purposely made a typo and acme.sh still used the dns_cf details saved in $LE_CONFIG_HOME/account.conf.

acme.sh --issue --dns dns_cff -d sub.example.com

No error was flagged.

Noted. I must admit, I hadn't fully appreciated this.

Noted. Thanks for the tip.

Hmm... not seeing this, but I'll do some further testing before confirming.

No. try with a new sub domain: acme.sh --issue -d newsub.example.com --dns dns_cfffff

1 Like