Delete duplicate account on server?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: davidchmelik.com

I ran this command: certbot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Please choose an account


1: localhost@2017-04-26T08:10:05Z (4bd1)
2: localhost@2018-01-06T06:36:58Z (b051)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):

My web server is (include version): Apache 2.4.37

The operating system my web server runs on is (include version): Slackware64 14.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

How do I delete that second account that was accidentally created? (apparently it doesn’t have my main certificate, just maybe a duplicate that can be deleted.


#2

I believe the command is:
certbot unregister
But I’m not too familiar with it - I’ve never had to use it.


#3

Well how do I select an account to unregister?


#4

It should prompt you to choose - but you need to know which one you want to delete.

Maybe
cerbot certificates
will show which account each cert was created with (not sure).


#5

Hi @dchmelik,

Well, before doing anything, backup your /etc/letsencrypt/ dir, just in case:

Note: Just a warning, if you proceed to unregister your account, doesn’t matter that you recover your files from this backup, the account would be removed from Let’s Encrypt Database so you will have lost that account, you will have all the files of course but that unregistered account can’t be used again.

#As user root
tar zcvf /root/backup-etc_letsencrypt_2018-Nov-3.tar.gz /etc/letsencrypt/

Now you must identify the account you want to unregister, you can use this script to know what accounts are defined in your system, what renewal conf are associated to them and what are the domains associated to every cert.

Edit a new file (I’ve used vi but use the editor of your choice)

vi /root/leaccounts

Add these lines and save the file:

#!/usr/bin/env bash
for i in $(ls -d /etc/letsencrypt/accounts/*/);do
    accounttype=$(echo ${i%%/} | cut -d '/' -f5)
    echo "### Account Type: ${accounttype} ###"
    echo ""
    for x in $(ls -d /etc/letsencrypt/accounts/${accounttype}/directory/*/);do 
        accountid=$(echo ${x%%/} | cut -d '/' -f7)
        echo "  Account ID: ${accountid}"
        certificates=$(grep -l "$accountid" /etc/letsencrypt/renewal/*.conf)
            for z in $certificates;do
                echo "    Domains associated to renewal conf file $(echo "$z" | cut -d '/' -f5)"
                certfile=$(grep 'cert =' ${z} | cut -d ' ' -f3)
                domains=$(openssl x509 -in ${certfile} -noout -text | grep 'DNS:' | sed 's/^[ \t]*//;s/[ \t]*$//' | sed 's/DNS://g')
                echo "    ${domains}"
                echo ""
            done
    done
    echo ""
done

Now add execution perms to the script:

chmod 700 leaccounts

and execute it

/root/leaccounts

Note: if you already had an acme-v01 account, certbot could have create a symbolic link to that account inside acme-v02 accounts dir so the script could show them as two different accounts but they are really the same with the same account id.

Review carefully the output to identify what is the account id that you want to unregister, and once identified unregister it:

certbot unregister --account heretheaccountid

If the account id is an account for staging environment, you must add the --staging parameter:

certbot unregister --account heretheaccountid --staging

You would be asked to confirm it because this action is irreversible.

Once done your account will be removed and you should not be asked again to select an account but keep in mind that this process only deletes the information inside /etc/letsencrypt/accounts/type-of-account/directory/hereyouraccountid but it doesn’t remove any other dir, certificates, renewal conf files created using this account so you should remove those dirs/files manually (please, before delete anything you should double check that you are deleting the unused dirs, files and renewal conf files).

Cheers,
sahsanu


#6

I would say that you don’t necessarily need to delete the account on the server. You can delete Certbot’s copy of the private key by deleting the associated directory in /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory. Then you won’t be prompted anymore.

If you don’t know which account you want to delete, @sahsanu’s script above could help you to determine this.


#7

The script looked helpful but I did not need it. As sahsanu said and schoen helped me find, I found out the second account was merely a link, so I deleted it. I’m wondering if I did something to create that, or certbot did it for some reason…


#8

Hi @dchmelik,

Since certbot version 0.26.0, it defaults to use acme-api v02 instead of v01 so maybe you had already an account on v02 dir or certbot created it when requesting a new certificate. As certbot found an account on v01 dir too, it created a symbolic link to this account in v02 dir, so seems you did nothing but certbot did it when it upgraded the version.

Cheers,
sahsanu


#9

So it’ll keep creating the link? Until that is hopefully improved to avoid apparent duplication, can I just rename the v01 to v02?


#10

@dchmelik, as far as I know, yes, it will create the symbolic link again, at least in next upgrade but I’m not 100% sure about this.

Don’t do that. Check if you are still using that v01 account in any of your renewal conf files (you can use the script I posted above), if you don’t have any renewal conf file using it, then yes, you can remove the v01 account from dir /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/youraccount and also the symlink created in /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/youraccount (but you already removed the symlink).

If you are still using it, you could replace the v01 account id in the conf renewal files with the v2 account id and once done remove the v01 account dir.

In the renewal conf files located here /etc/letsencrypt/renewal/ you will see a param like this:

account = herethev01account id

so to use the v02 account you should replace the account id:

account = herethev02account id

But please, backup /etc/letsencrypt/ before doing any change.

Cheers,
sahsanu


#11

Well the v01 & v02 accounts had the same id. This situation wasn’t described, so I just revoked certificate, did ‘rm -rf,’ started over. I’d probably want to do the same next time things become more cluttered (chains or future accounts.) Certbot is becoming more complicated and doing things a user wouldn’t expect. I still like it but it’s also become more complicated when my strictly Unix-like OS made a plugin that automatically adds stuff to httpd files I prefer to edit by hand, because it may not be possible to not use the plugin…


#12

This is not what it says:

1: localhost@2017-04-26T08:10:05Z (4bd1)
2: localhost@2018-01-06T06:36:58Z (b051)

You had two different accounts, I suppose you had 1 in v01 and 2 in v02 (one of them as a symlink to v01 account).

I don’t think so but of course that is my opinion. Keep in mind that Let’s Encrypt evolves quickly and some changes could be a challenge for existing acme clients like certbot that had to deal with those new features, apis, etc. and try to do as smooth as possible to support old and new features, apis, etc. at the same time and that is challenging so sometimes you could see some behaviour that could be unexpected or confuse but the change is made with the intention to keep your installation up and running as smooth as possible.

Cheers,
sahsanu