Best practice for deactivating accounts


#1

I am working on my own little ACME v2 client implementation. The approach I am taking is creating a new account on the fly, getting the authorizations, getting the certificates and at the end deactivating the account, as much for simplicity (no state to manage), as a way to clean up (if anything failed) and for security (ensuring no outstanding authorization is used after the renewal is complete). Working great on the staging server (outside of a few occasional 500 errors that seem to be on your radars already).

Does creating a different account for each renewal and deactivating these accounts after the renewal create any problem on the letsencrypt side or can it have undesired consequences?


#2

Hi @cc2e6,

Per https://letsencrypt.org/docs/rate-limits/

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers.

Maybe that would be a problem for some of your users?


#3

Oh no, I will be comfortably within these limits (no third party users, it will only be used for a handful of domains, renewed every 1 or 2 months). I was more concerned by whether it had any consequences from your point of view to get lots of de-activated accounts against the same domain over time or any consequence on the certificate issued to have been issued to an account that had been de-activated shortly after.


#4

@jsha, do you think creating many accounts for the same user, but within the rate limits, is all right in terms of CA resources?


#5

In my opinion, deactivating an account after each certificate issuance is bad practise.


#6

Why is it a bad practice?


#7

Dropping the account after issuance does not give you any advantage.

Futhermore, see the integration guide about “One Account or Many”:


#8

It does limited what an attacker can do if they compromise your account key somehow.

Though if your infrastructure is compromised they can always make a new account…


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.