Couldn't renew because of missing account

ramseth001 · January 14, 2021, 3:39am

I ran this command: sudo certbot renew --reuse-key --force-renewal

It produced this output:
Failed to renew certificate with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/3797ff04176ba8551e6fc15a25dcd614 does not exist

My web server is (include version): Express Node v10.23.0

The operating system my web server runs on is (include version): Ubuntu 18 (Old machine), Ubuntu 20 (New machine)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Old machine - 0.31.0
New machine - 1.11.0

I am trying to move the keys from one server to another. I followed the steps from this link. I successfully migrated and it's working. But when I tried to renew the certificate I got the above mentioned error.

The reason I wanted to use the same key is because it is a mobile app server, and a lot of users already have the apps installed with the existing key.

Looking forward to your help

griffin · January 15, 2021, 1:53pm

Welcome Back to the Let's Encrypt Community

Note:
Your account was created under the ACMEv1 API, which is deprecated and will soon be obsolete.

The error that you are seeing is likely due to your certbot renewal configuration files referring to an ACME account file that didn't get migrated properly. You can simply register a new ACME account (if you haven't created one already) and acquire a new certificate (even with reusing the certificate private key).

sudo certbot register --email address@domain.com --agree-tos

You might need to update your certificate renewal configuration files to point to the new account. When you use --reuse-key, the private key is taken from an existing certificate file in the archive folder for that certificate that is pointed-to by the symlink in the live folder for that certificate.

You can test your renewal using the following command without needing to use the abominable --force-renewal option:

sudo certbot renew --reuse-key --dry-run

If that command succeeds, your renewals should be fine.

schoen · January 15, 2021, 1:53pm

I believe that will be required. After doing what @griffin suggests, you can make these two changes to the renewal configuration file.

In your existing file /etc/letsencrypt/renewal/example.com.conf (replacing example.com with your domain),

(1) Change the line beginning with account = so that the number to the right of the = sign is the one output by

sudo ls /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory

(2) Change the line beginning with server = so that it reads

server = https://acme-v02.api.letsencrypt.org/directory

After that, I expect sudo certbot renew --reuse-key --force-renewal will do what you expected.

schoen · January 14, 2021, 4:14am

By the way, I'm surprised that more people aren't encountering this same error when following the tutorial you followed—I expect it should always produce the error you ran into! (I wonder if some people are including more files in their backup than the tutorial explicitly told them to.)

griffin · January 14, 2021, 4:17am

@schoen

I tried to give him a way to avoid using the dreaded --force-renewal.

I think/hope it will work. Please correct me if I'm wrong here though.

rg305 · January 14, 2021, 1:33pm

Does the acmev1 account really get "upgraded" - or is it just being replaced?

ramseth001 · January 15, 2021, 1:54pm

@schoen @griffin With your help, I was able to migrate successfully.