Consolidating Account IDs

I have been using certbot to automatically create subdomain certs for individual servers. I did register an email address for this and used the same email for each new cert. Now I’m hitting the rate limit regularly and would like to submit a rate limit wavier but in checking /etc/letsencrypt/accounts/*/regr.json for the account id I see each server has a unique account id. How would I go about consolidating all of the different account id’s into one so I can submit a rate limit wavier request?

Hi @davided,

To my knowledge, there is no protocol or server support for doing this. Maybe you could gradually migrate your renewals to one account and at the same time submit a rate limit exemption for that one?

Thanks for the reply. Each cert I’ve gotten so far is for a separate server, so Certbot defaults to creating a new account id on each server. What would be the correct method to migrate the account id during a renewal? It doesn’t appear that Certbot has a mechanism for specifying the account id on the command line.

I don’t think there’s an official, pretty option. The hacky option that probably works – you should certainly test it before deploying my ideas in production! – is:

  • Copy /etc/letsencrypt/accounts/ from your chosen box to all the others.
    (Or just /etc/letsencrypt/accounts/ if you prefer to maintain separate staging accounts.)

  • In /etc/letsencrypt/renewal/*.conf on all the other boxes, replace the hash in the “account =” line with the new one.
    You can get the correct hash from one of the renewal .conf files on the first server, or because it’s the name of the directory in /etc/letsencrypt/accounts/ (Literally, there’s a directory called “directory”, and you want its subdirectory.)

Certbot’s internal structure is subject to change in future versions, and you’re not supposed to go meddling with it, but it’s fairly simple if you want/need to.

Edit: Prod and staging have separate accounts. If you have staging certificates, be sure not to mix up the account hashes in the renewal config files.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.