Best practice for deactivating accounts

I am working on my own little ACME v2 client implementation. The approach I am taking is creating a new account on the fly, getting the authorizations, getting the certificates and at the end deactivating the account, as much for simplicity (no state to manage), as a way to clean up (if anything failed) and for security (ensuring no outstanding authorization is used after the renewal is complete). Working great on the staging server (outside of a few occasional 500 errors that seem to be on your radars already).

Does creating a different account for each renewal and deactivating these accounts after the renewal create any problem on the letsencrypt side or can it have undesired consequences?

Hi @cc2e6,

Per https://letsencrypt.org/docs/rate-limits/

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers.

Maybe that would be a problem for some of your users?

Oh no, I will be comfortably within these limits (no third party users, it will only be used for a handful of domains, renewed every 1 or 2 months). I was more concerned by whether it had any consequences from your point of view to get lots of de-activated accounts against the same domain over time or any consequence on the certificate issued to have been issued to an account that had been de-activated shortly after.

@jsha, do you think creating many accounts for the same user, but within the rate limits, is all right in terms of CA resources?

In my opinion, deactivating an account after each certificate issuance is bad practise.

Why is it a bad practice?

Dropping the account after issuance does not give you any advantage.

Futhermore, see the integration guide about “One Account or Many”:

It does limited what an attacker can do if they compromise your account key somehow.

Though if your infrastructure is compromised they can always make a new account…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.