I am trying to set up certificates such that on a single server:
The sites are functional, with IP1 having Let's Encrypt SSL cert attached to it.
IP2 currently doesn't have any certs bound to it.
I saw this in searching:
... and it seemed to suggest that I should be able to create multiple ACME accounts, so I ran this command:
# certbot register -m firstname.lastname@example.org
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
There is an existing account; registration of a duplicate account with this command is currently unsupported.
My web server is (include version): Apache 2.4.27
The operating system my web server runs on is (include version): Ubuntu 17.10
I can login to a root shell on my machine
I am not using a control panel to manage my site.
How should one go about having two separate groups of certificates?
Certbot doesn’t need multiple accounts for multiple certificates. Unless you want to have the cert ‘coupled’ to a different email address.
I didn’t know the command doesn’t actually work by the way. The documentation if certbot didn’t mention it.
I did not use it myself so I don’t know if it works smoothly but you can do the following:
1.- Rename your original accounts directory:
mv /etc/letsencrypt/accounts/ /etc/letsencrypt/accounts.original
2.- Register a new account with a new mail:
certbot register -m email@example.com
3.- Copy the contents of original accounts dir to the new created one:
cp -prf /etc/letsencrypt/accounts.original/* /etc/letsencrypt/accounts/
Now you should have 2 accounts:
ls -l /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
drwx------ 2 root root 4096 Sep 30 19:05 xxxxxxxxxxxxxxx123456789aaaaaaaa/
drwx------ 2 root root 4096 Dec 29 11:45 yyyyyyyyyyyyyyy987654321bbbbbbbb/
If you want to create a new certificate you should specify the right account with
certbot certonly --account yyyyyyyyyyyyyyy987654321bbbbbbbb --webroot -w /var/www/letsencrypt/ -d your.domain.tld
As the account info is saved into the renewal conf files
certbot renew command should work to renew the existing certificates with the right account.
As @Osiris said, certbot can manage multiple certificates and doing this will add complexity to the process.
Disclaimer: I did not test this procedure so do it at your own risk… and before doing anything, backup your
/etc/letsencrypt/ dir… just in case
Cheers and Happy Holidays,
@Osiris - correct, I would like to keep the domains on one IP grouped together and registered with one email address distinct from the domains on the other IP and its email address.
@sahsanu - I’ll give that a go and report back
@sahsanu - it looks like it’s worked, in that the new account created, then I moved old account back, created new certs explicitly quoting new account, and then checked in renewal conf and confirmed differing account UUIDs.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.