Find expiry email addrses for an account


#1

Is there a way to obtain the currently registered expiry email address for an account (assuming that I have the account secret key)?

(I know that I can set the address with “certbot register --update-registration”, but what I would like to do is get the current value).


#2

Hi @quinot

I didn’t test it. But the ACME-protocol says: Updating an account without a new mail address shows the current mail address (and the rest of the account data).

So check

certbot register --update-registration

without a mail-address. Otherwise: There are configuration files of certbot. Perhaps there is the mail address saved.


#3

It is in one of the JSON files in /etc/letsencrypt/accounts/, but it can potentially be out of date, like if you use the same account on two computers and used --update-registration to change it. (Most people don’t do that, though.)

It also happens to get logged in /var/log/letsencrypt/letsencrypt.log frequently.


#4

The reason why I want to check the address associated with an account is precisely because I suspect I cannot trust what I have in /etc/letsencrypt/accounts/ (files might have been edited by hand there).

What operations would cause the current address registered on the server side to be logged to letsencrypt.log? And how does the client retrieve that information from the server in order to log it?


#5

The ACME-protocol knows only create, update with data, update without data and deactivation.

And “update without data” gives the account information:

7.3.3 Account Information

https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.3.3

If a client wishes to query the server for information about its account (e.g., to examine the “contact” or “orders” fields), then it SHOULD do so by sending a POST request with an empty update. That is, it should send a JWS whose payload is an empty object ({}).

So “certbot register” or “certbot register --update-registration” without a new mail address shouldn’t change something, but sends the required empty object and gets the account information.


#6

Ah, good, that’s exactly the information I needed.

certbot doesn’t currently appear to allow an empty email address:

  Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): 
  Invalid email address: .

but I can work from there. Thanks!


#7

You can enter a new mail address, so your existing account + key is updated.

But I am wondering that certbot doesn’t have this “show account data” - option.

Letsencrypt supports that.


#8

#9

Good idea, thanks.

PS: Perhaps you may add a link to your current thread.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.