Determining the parameters of my account

This question is not about a certificate, but rather about my account.
Sorry if I seem dumb or naive.

Starting from the bottom, I impulsively unsubscribed from expiration emails on one server,
but I would still like to get them for another server. I read in documentation,
"you can't resubscribe, but if you change your email, it effectively does it".
I'm not even sure which email got that now-deleted expiration notice, and which email might
be getting notices for the other server.

Is a Letsencrypt account the same as the one for this forum?
The certbot help refers to "ACME account". This is confusing.

Is there a way to find out what I've got?

Is this all done from the servers where the certificates are, or via websites?

There is the command

certbot update_account --email yourname+1@example.com
But I don't see anything about "tell me about my account".

Thank you.

3 Likes

They are not related.
[you might have used the same email address - I don't]

Not that I have ever heard of.

When you run certbot it will try to reuse the present account.
[if one doesn't exist (first run), one is created]

Let me add some examples that might help explain the cert email address situation:

  • The same certbot can manage multiple certs - each with their own "admin" and related email address.
  • The "same cert" can be individually created on two separate systems - each knowing nothing about the other (with individual accounts). And those servers can be managed by two different admins that prefer individual email addresses (and do so without any problem - AFAIK).
3 Likes

While certbot doesn't have an "external" command or option to view it, it does get returned by the ACME server and certbot does log it in its log at /var/log/letsencrypt/letsencrypt.log. Look for a line looking like:

2021-11-27 16:00:38,236:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f9920fac580>)>), contact=('mailto:fake-email@example.com',), agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging.api.letsencrypt.org/acme/reg/redacted', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 1234567890abcdefredactedaccounthash, Meta(creation_dt=datetime.datetime(2017, 3, 13, 13, 26, 15, tzinfo=<UTC>), creation_host='server', register_to_eff=None))>

Oh and it's also present in the file:

/etc/letsencrypt/accounts/${acme_server_URL}/directory/${your_account_hash}/regr.json

Where ${acme_server_URL} and ${your_account_hash} are of course the corresponding URL and hashes on your server.

So it might not be retreived from the ACME server, but perhaps its just stored locally and fetched from the above file into the log.. Although I know that the ACME server can also return the e-mail address associated with an account.

5 Likes

@Osiris :
Your response was helpful, but it took some digging!

In all the log files, where it says "Picked account:...", it says "contact=()".

I had to go back to the first log file and the creation of the cert, from March, 2019, which fortunately was still there. Somewhere in there it says,

 "resource": "new-reg",
  "contact": [
    "mailto:me@mydomain.com"
  ]

In the regr.json file, all that is there is:
{"body": {}, "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/5xxxxxx4"}

So, that answered my question, but, while I suppose there good reasons for all this complexity,
I find this whole process rather daunting, to say the least.

2 Likes

Probably not. I think it's just something usually nobody is interested in, so the developers never put in any effort to build a feature that will return the accounts email address.

5 Likes

Edit:

The post below has been superseded. The code (and more) has been merged into the Certbot code base (Add `show_account` subcommand to retrieve account info from ACME serv… · certbot/certbot@93c2852 · GitHub) and will be available when Certbot 1.23.0 is released.

Original post:


@pentolla

I've written a quick 'n dirty addition to certbot to retrieve and show the contact information available on the ACME server associated with a certain account:

I'm not sure how you've installed certbot on your host, but perhaps you or other users finding this thread might find it useful. Python is a interpreted high-level programming language, so it should be possible to just apply these modifications to the Python files of certbot on your disk. However, updating certbot would remove these modifications obviously, so it would be just temporary. (Note: if you're using "snap" to install certbot, I'm not sure if you can easily modify the contents of the certbot snap..)

Also note that my mod makes use of the already existing function query_registration() of the ACME library. Certbot just doesn't use that function anywhere currently, except for the mod above.

Cool feature of Github: by appending .patch to a commit URL, Github generates a patch file: https://github.com/certbot/certbot/commit/8bbf971b55e10eb9eb5243378d22072ee0ff5e7b.patch

Maybe this can be used to easily update existing certbot files on a host? I was able to patch my servers certbot by doing:

First find the certbot location by searching for a rather certbot specific file:

server ~ # locate cli_constants.py
/usr/lib/python3.8/site-packages/certbot/_internal/cli/cli_constants.py
/usr/lib/python3.9/site-packages/certbot/_internal/cli/cli_constants.py
server ~ # 

My server has Python 3.8 as wel as Python 3.9 installed. Python 3.9 is used by default, so I'm going to patch that one:

server ~ # cd /tmp
server tmp # wget https://github.com/certbot/certbot/commit/8bbf971b55e10eb9eb5243378d22072ee0ff5e7b.patch
server tmp # cd /usr/lib/python3.9/site-packages/certbot
server certbot # patch -s -p3 </tmp/8bbf971b55e10eb9eb5243378d22072ee0ff5e7b.patch

The option -p3 is necessary on my system, other values might be required on others, although I don't think so..

Real life output:

server ~ # certbot fetch_account
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: fetch_account
server ~ # cd /tmp/
server tmp # wget https://github.com/certbot/certbot/commit/8bbf971b55e10eb9eb5243378d22072ee0ff5e7b.patch
--2021-12-06 17:38:44-- https://github.com/certbot/certbot/commit/8bbf971b55e10eb9eb5243378d22072ee0ff5e7b.patch
Resolving github.com... 140.82.121.3
Connecting to github.com|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3837 (3.7K) [text/plain]
Saving to: ‘8bbf971b55e10eb9eb5243378d22072ee0ff5e7b.patch’

8bbf971b55e10eb9eb5243378d220 100%[=================================================>] 3.75K --.-KB/s in 0s

2021-12-06 17:38:44 (42.2 MB/s) - ‘8bbf971b55e10eb9eb5243378d22072ee0ff5e7b.patch’ saved [3837/3837]

server tmp # cd /usr/lib/python3.9/site-packages/certbot
server certbot # patch -s -p3 </tmp/8bbf971b55e10eb9eb5243378d22072ee0ff5e7b.patch
server certbot # certbot fetch_account
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Phone number associated with account: none
Email address associated with account: redacted@example.com
server certbot #

5 Likes

@Osiris
That would be useful if included in the standard release, but for me, it is not worth the time and effort of doing, and maintaining, a patch for something not used very often.
(Even more so in a language I'd have to start learning to do it.)

I appreciate the assistance I have received here, and thank you for going the extra mile on my behalf.

3 Likes

I've asked the certbot team if they're interested, although I'm hesitant to put up with maintaining the PR for months and months on end (as the certbot team is rather small, they often don't have time to review PRs that are not critical).

3 Likes

It has been added to certbot and will be included in its next release, 1.23.0!

5 Likes

If this shows your account URL, once this is released it might be nice to also update the Finding Account IDs documentation page to suggest just running this show_account command rather than suggesting spelunking through the account configuration JSON files.

3 Likes

That's a great idee indeed!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Certbot 1.23.0 has been released, including the implementation of the show_account subcommand!

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.