I want to rotating our Let's Encrypt account's key using account id or email.
I would like to ask if there is the chance to create a secondary key so I can replace it in our services and make sure they are working properly before deleting the current one.
you can rekey a acme account, but doing so will immediately invalidate old key. but unless you have rate limit adjusted you can just create another acme account that uses same email address
1 Like
Everything depends on which ACME client you're using. There's no technical limitation from Let's Encrypts end, but your ACME client may or may not support re-keying and/or multiple ACME accounts.
We are using Lego client which is located in GitHub - go-acme/lego: Let's Encrypt/ACME client and library written in Go
could you direct me to a document about how I can generate a new key for current account ?
the client doesn't matter, I can generate it with another client if Lego doesn't support it.
do you have specific reason that want new key?
2 Likes
The current key is probably leaked, so we want to rotate it.
1 Like
don't think any client supports account key rollover, while api itself have it: you'd better look at certificates in ct log, revoke with current account key if needed, than disable current account with
1 Like
Yeah, most clients are sorely lacking in account key management. I don't think lego even has an "unregister" command.
If you don't have anything (like rate limits) specifically tied to your ACME account, the easiest approach is probably to just register a new account. I think that if you just delete the .lego/accounts folder, then lego would create a new account for you. (But I haven't tested that.)
I'm not sure what the right way of reporting a compromised account key is to get Let's Encrypt to block it, but you might want to email cert-prob-reports@letsencrypt.org with the account id (the uri in the .lego/accounts/acme-v02.api.letsencrypt.org/(email)/account.json file) to officially have someone look into it and they'll probably block it from use, or maybe tell you what else to do.
6 Likes
I implemented a client according to RFC, the code is located in GitHub - khanzadimahdi/acme-key-rollover: an implementation of ACME key rollover for Letsencrypt API
I substituted our old key with new one.
thanks for helping.
4 Likes
Thank you! I'm very excited to see this sort of tooling available; I've done some similar scripting using node while playing around with the ACME API, but nothing that actually would be releasable for others.
Just a couple suggestions, if you want to make this even better (based on skimming the source code, I haven't actually tried running it yet):
- Support ECDSA P-256 in addition to RSA account keys
- Support other key formats, like certbot I think uses the JSON format on disk for storing account keys rather than PEM.
- Publish some binaries for common server platforms, so that people can just copy it onto their server and run it rather than needing to install a go compiler.
Though I understand that this is just something you put together to solve a problem you had, and you might not want to be actually expanding it a ton.
Another possibility, if you're up for writing more go code, is to see if you can get a pull request into lego itself adding a command for key rotation, so it's just there and not a separate thing that needs to be installed.
But that's all just me brainstorming ways to make it better, thank you again for publishing this!
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.