Certbot - How to change the account key?


#1

I want to change my account key. How to do this with Certbot?


#2

I don’t think that Certbot implements the Account Key Rollover procedure that would make this possible.

You could try certbot unregister to completely abandon your account and then start again, but that’s not exactly the question you posed.


#3

Not sure if there is a built-in way to do this in certbot…
[checking on that in a spawned process (true multi-tasking) - LOL]

CAUTION: THIS NEXT SCENE INCLUDES VIOLENCE AND MATERIALS ONLY SUITABLE FOR MATURE AUDINECES… WATCH AT YOUR OWN RISK

But if you move/remove the contents of:
/etc/letsencrypt/account/acme-v01.api.lestsencrypt.org/directory
/etc/letsencrypt/account/acme-v02.api.lestsencrypt.org/directory
Certbot would be forced to create all new account(s).

[void where prohibited. mileage may vary. see store for details. subject to local laws. not valid in all states (of mind). harmful if swallowed. seek immediate medical attention should it come in direct contact with your eyes. actor portrayal - not a real consumer.]

Back at the ranch…
It seems certbot can only remove an account with:
certbot unregister
[I suppose it will prompt you through the process. - I have never tried it.]

But as @_az said, that really doesn’t answer your question:
“How can I change my account key?”
There doesn’t seem to be a “change account” nor “change key” option.


#4

Questions:

  • Is there an alternative client (for MacOS) which has an option to change the account key?
  • Does it make sense to open a feature request against Certbot or is this already on the todo list?

#5

I’m not aware of any public client that implements key roll-over.

I don’t think Certbot has an issue for this, so maybe you can open one. Perhaps certbot update_account can take a --key-rollover flag?


#6

I don’t think that Certbot has such a flag ‘–key-rollover’:

certbot --help all
...
update_account:
  Options for account modification

unregister:
  Options for account deactivation.

  --account ACCOUNT_ID  Account ID to use (default: None)
...
certbot --help update_account
usage: 

  certbot update_account --email updated_email@example.com [options]

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        path to config file (default: /etc/letsencrypt/cli.ini
                        and ~/.config/letsencrypt/cli.ini)

update_account:
  Options for account modification

  -m EMAIL, --email EMAIL
                        Email used for registration and recovery contact. Use
                        comma to register multiple emails, ex:
                        u1@example.com,u2@example.com. (default: Ask).
  --eff-email           Share your e-mail address with EFF (default: None)
  --no-eff-email        Don't share your e-mail address with EFF (default:
                        None)