I’m in the home-stretch of rewriting our certificate-manager/client and I’m trying to work out the last bits of importing Certbot LetsEncrypt accounts.
Under ACME-V1, all the resource locations were predictable. When importing an account, I could easily know the corresponding server.
Under ACME-v2, I know the following details:
-
The directory might be in a given location, for example:
-
The account resource could be anywhere, it’s most likely in a given location, but still…:
https://acme-staging-v02.api.letsencrypt.org/acme/acct/xxxxxxx
The RFC usually places directory under acme (/acme/directory), but states it could be anywhere and pebble departs from this model.
Is there any reasonable likelihood that LetsEncrypt will mount multiple ACME services/directories on the same domains?
The reason why I am asking - Certbot doesn’t save (or did not save when my accounts were created) the directory information with the accounts in /etc/letsencrypt. When importing these accounts, I’m trying to match them up with the correct provider.
Also, given this filepath:
/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/xxxxx
Would I be safe to assume that Certbot is stating the ACME-v2 “directory” is acme-staging-v02.api.letsencrypt.org/directory
Going through the certbot code, it seems that an _account_dir_path is build off a server_path, and the “server_path” is acme-staging-v02.api.letsencrypt.org/directory.
This would suggest to me the accounts within that file directory are correlated to the server-path directory.
I’m sorry if this is too pedantic, but I’ve been caught between writing to a spec, and reverse engineering various bits of Certbot to ensure compatibility.
This certificate system is designed for large clusters, so i’m trying to ensure everything imports correctly