I ran this command: certbot --nginx --non-interactive --agree-tos --email [redacted] --server https://acme.enterprise.sectigo.com --eab-kid [redacted] --eab-hmac-key [redacted] --domain domain1.com
OS: RHEL 8+
The version of my client: 1.22.0
Skipping most of the template since it's irrelevant to my question.
If I create the file /etc/letsencrypt/cli.ini and add to it a different EAB Key ID and HMAC Key, will future certificate renewals use the new EAB ID/Key? Or will certificate renewals continue to use the EAB ID/Key that were initially used on the command line, ignoring the cli.ini file?
The old EAB ID and Key are for a different SSL profile, for example, the old profile is "InCommon SSL Single Domain General Profile" and new one is "InCommon SSL Multi General Profile".
Hi @dxfuentes, and welcome to the LE community forum
That needs an update.
hmm...
If both the renewal config file and the cli.ini contain similar information...
Which will be used?
I think the cli.ini info would be used - but I can't be 100% certain.
EAB is only used once: the moment of registration of the ACME account.
That's not a Certbot thing, but simply part of the ACME protocol (RFC 8555).
Thus, to use different EABs, you need to use a different ACME account.
Unfortunately Certbot is not able to register a second account for a certain ACME endpoint/directory.
However, Certbot actually can handle multiple accounts. So it's possible to temporarily move the specific account away from its directory in /etc/letsencrypt/accounts/, (the account dir will be a hash under a directory of the ACME endpoint) register a new account with the new EAB and then place the original account back to its original place.
Note that manually messing with Certbots internals is not recommended, certainly if one has little experience with manually handling these kind of things.
Our SSL cert provider, Sectigo/InCommon, will be deprecating the SSL cert profiles we currently use. So to switch to a new SSL cert profile, new ACME accounts were created and tied to a new SSL cert profile, which generated a new EAB key ID and HMAC Key.
Im not opposed to "ugly" ways of automating this, like parsing for the domains and using something like ansible.builtin.command: certbot --nginx --non-interactive .......
It sounds like they're not using Let's Encrypt at all.
Is this using the same ACME directory endpoint, just a different account?
If you don't need the old ACME account at all anymore, I think (but have not tested) that you can just run certbot unregister (maybe you'd need the --server for your CA), and then certbot register with the server and EAB information, and you'd have the same certs with the new account.
That's just what Sectigo calls them, apologies if there's any confusion as I am trying to stick their wording. To explain, they have ACME endpoints and the one we use is named "Universal ACME" which is the ACME directory endpoint URL https://acme.enterprise.sectigo.com . That endpoint has Accounts, and each Account has:
Each account is also tied to a SSL Certificate Profile, such as "InCommon SSL Single Custom Profile" which is for a type of SSL, for example a 90 day certificate.
So when I run the command from my post, the EAB ID/Key I use is associated with an already created ACME account, which is associated with a specific SSL Certificate profile, which determines the type of SSL that's issued.
If that use of wording is different than Let's Encrypt, no idea why Sectigo does that.
Definitely, but since we're using certbot I figured I'd ask this community first because I'm sure Sectigo will say "go ask Certbot community for help with Certbot".
I've used it for ZeroSSL and I believe the free ssl.com ACME server also requires it.
I think in that documentation when Sectigo speaks about "account" or "ACME Accounts" in that table at the bottom of that page, they mean "Sectigo account". And NOT an "ACME account" as we usually mean (which is the account at an ACME server).
You probably need to re-register your account with the new EAB credentials as already discussed above indeed.
how do you switch an existing certbot certificate to use a new ACME account (either with a different CA or the same CA).
The fact it's a particular CA and that EAB is used etc isn't especially relevant. Does certbot have a feature for changing the ACME account used for a cert?
Not officially. But an --account option is mentioned for the unregister subcommand. Certbot might have some undocumented, coincidental use for that option in other subcommands. But that would mostly matter if Certbot has multiple accounts configured to begin with, which officially is not supported. Because if multiple accounts are configured, Certbot will ask which one to use. Maybe --account will answer that question non-interactively.
That said, in the renewal configuration file the account hash is stored, but I think Certbot simply overwrites that one if that account has been removed and simply uses the one at hand for the ACME endpoint configured for that certificate.
