Consolidating Account IDs

davided · June 16, 2017, 5:13pm

I have been using certbot to automatically create subdomain certs for individual servers. I did register an email address for this and used the same email for each new cert. Now I’m hitting the rate limit regularly and would like to submit a rate limit wavier but in checking /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/*/regr.json for the account id I see each server has a unique account id. How would I go about consolidating all of the different account id’s into one so I can submit a rate limit wavier request?

schoen · June 17, 2017, 4:42am

Hi @davided,

To my knowledge, there is no protocol or server support for doing this. Maybe you could gradually migrate your renewals to one account and at the same time submit a rate limit exemption for that one?

davided · June 17, 2017, 7:40pm

Thanks for the reply. Each cert I’ve gotten so far is for a separate server, so Certbot defaults to creating a new account id on each server. What would be the correct method to migrate the account id during a renewal? It doesn’t appear that Certbot has a mechanism for specifying the account id on the command line.

mnordhoff · June 18, 2017, 6:24am

I don’t think there’s an official, pretty option. The hacky option that probably works – you should certainly test it before deploying my ideas in production! – is:

Copy /etc/letsencrypt/accounts/ from your chosen box to all the others.
(Or just /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/ if you prefer to maintain separate staging accounts.)
In /etc/letsencrypt/renewal/*.conf on all the other boxes, replace the hash in the “account =” line with the new one.
You can get the correct hash from one of the renewal .conf files on the first server, or because it’s the name of the directory in /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/. (Literally, there’s a directory called “directory”, and you want its subdirectory.)

Certbot’s internal structure is subject to change in future versions, and you’re not supposed to go meddling with it, but it’s fairly simple if you want/need to.

Edit: Prod and staging have separate accounts. If you have staging certificates, be sure not to mix up the account hashes in the renewal config files.

system · July 18, 2017, 6:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How can I create a second account? Can certbot-auto eveb handle multiple accounts? Help	4	8335	January 5, 2017
Migrating to new Account ID Help	7	259	July 25, 2024
Migrate certbot account from v1 to v2 Help	1	1180	May 31, 2018
Creating separate domain/cert groups on same server with multiple IPs Help	5	2645	January 29, 2018
Creating a secondary account preserving the first account Help	5	658	July 30, 2021

Consolidating Account IDs

Related topics