Certbot renew error - Please choose an account

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.studentobservation.com
I ran this command:
/snap/bin/certbot renew --allow-subset-of-names
It produced this output:
Failed to renew certificate www.studentobservation.com with error: Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['dbs14.c.gam-project-kw6-b06-l2z.internal@2018-02-22T20:55:00Z (fcc3)', 'dbs-phptest@2016-08-21T16:27:38Z (c316)', 'dbs9@2016-02-17T16:43:48Z (592c)']
My web server is (include version):
Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:
Google cloud
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.7.1

1 Like
2

This has worked fine for several years. The error is new.

3

I don't have any good advice. This is a very odd error. You might try posting on the Certbot github to reach their devs more quickly.

There was a similar error about a month ago at below thread. But, no other threads with similar error since a couple back in 2016-2018.

I changed your thread title to focus more on this specific error.

I saw you got 2 Staging certs earlier today. Is this error only on production ?

2 Likes
4

Yes this server is production server. We have several server using certbot. There are 8 projects using certbot on this server, but only 2 were up for renewal. And they both had the same error.

5

Sorry, I meant trying to get a production Let's Encrypt cert as opposed to one from the Let's Encrypt Staging system (which looks to have worked).

image
image2211×630 143 KB

Do you have more than one account in the system?

sudo ls -lR /etc/letsencrypt/accounts
2 Likes
6

How to do a production certbot? I thought I was doing that. It seems I do have more than account ... see screenshot. I see staging.api in that output.

Screenshot from 2023-10-13 15-46-20
Screenshot from 2023-10-13 15-46-201680×1050 146 KB

7

A production Let's Encrypt cert is the default. They are used in live servers and the certs will be trusted. You must specifically request Staging certs and these are NOT trusted by browsers. They are helpful when testing to avoid the production system rate limits.

You got 2 Staging certs earlier today so must have done a --dry-run or maybe --test-cert Certbot options

Now, I guess what is happening is that your very old acme-v01 account is now being shown as a viable option. That version was superceded by acme-v02 a long time ago. Perhaps a recent Certbot change is no longer ignoring the v01 accounts.

You could try backing up and removing that acme-v01 account folder. Before doing that you could even match the account number in the renewal config file(s) in /etc/letsencrypt/renewal to make sure it is not referenced.

I wasn't involved with Let's Encrypt / Certbot back then so this is very much a guess. Your current cert has plenty of life left so you could wait to see what other experts have to say about this.

2 Likes
8

I see there 4 accounts. If I remove 3 of those arbitarily, would that work? I do not know how or why that got that way.

9

No it didn't

10

If you were going to remove any do the two from 2016. Those are the older generator account numbers.

Still, I'd review my previous post about comparing the account numbers and making backups

image
image1233×240 122 KB

2 Likes
11

No it did not what?

2 Likes
12

I removed 3 of the 4 accounts, to test it. Same error though.

13

Actually it looks like a different error:

Failed to renew certificate www.studentobservation.com with error: You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

14

I think you deleted the wrong folder.

What does this show?

sudo certbot certificates | grep -i 'certificate name'

And this

sudo cat /etc/letsencrypt/renewal/www.studentobservation.com.conf
2 Likes
15

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate Name: dbs9.dx30-2.net
Certificate Name: thecenteronline.org
Certificate Name: wiki.dbswebsite.com
Certificate Name: www.studentobservation.com
Certificate Name: www.takechargenotrisks.org
Certificate Name: www.themasterstouch.us
Certificate Name: yamamotofineblanking.com

and ...

renew_before_expiry = 30 days

version = 2.6.0
archive_dir = /etc/letsencrypt/archive/www.studentobservation.com
cert = /etc/letsencrypt/live/www.studentobservation.com/cert.pem
privkey = /etc/letsencrypt/live/www.studentobservation.com/privkey.pem
chain = /etc/letsencrypt/live/www.studentobservation.com/chain.pem
fullchain = /etc/letsencrypt/live/www.studentobservation.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = 592ccc3eb3856126ba86d04a07740724
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
[[webroot_map]]
studentobservation.com = /home/clients/studentobservation.com/htdocs
www.studentobservation.com = /home/clients/studentobservation.com/htdocs

16

Try this first. the --dry-run will not disturb your existing production cert

sudo certbot certonly --dry-run --cert-name www.studentobservation.com --webroot -w /home/clients/studentobservation.com/htdocs -d www.studentobservation.com -d studentobservation.com

If that works do it without the --dry-run

2 Likes
17

I get this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel):

18

What version of Certbot ? Because I get a different response using a current version.

certbot --version

You explicitly state --webroot authentication so it should not be asking you what kind of authentication to do.

If I do it I get below. It should fail of course because I am not on your server. And, I had to change the webroot path because yours does not exist on my machine. But, the rest is the same

sudo certbot certonly --dry-run --cert-name www.studentobservation.com --webroot -w /var/www/html -d www.studentobservation.com -d studentobservation.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for www.studentobservation.com and studentobservation.com

Certbot failed to authenticate some domains (authenticator: webroot). 
The Certificate Authority reported these problems:
2 Likes
19

2.7.1 certbot

20

I will pick this back up Monday. Thx for all your support. I have a ride coming. Thx!

2 Likes