How do I change the admin email address used for key recovery?


#1

The email address used as the admin email when we started using let’s encrypt needs to be modified (a former employee used his personal email address as the admin email and he is no longer with the firm). What steps need to be taken to get that modified (we can get the former employee to confirm this). We need to remove his personal email address and replace it with a new email address. This will be used for key recovery actions. In either case, I would like the former employee’s personal email address to be removed. What steps do I need to take to accomplish this (if my understanding of the process is incorrect, kindly point me to the right direction). Thanks in advance.


#2

I need to change my email address, too. I think ideally you would revoke your current certificate and then request a new certification with the correct --email set.

I haven’t been able to find any information about actually performing an account recovery via e-mail; I don’t think it’s possible yet. So I think I’m going to just let my cert expire and renew it using the correct e-mail address when this cert gets close to expiring.


#3

To be clear: Let’s Encrypt does not offer any key recovery service. Private keys are generated on your machines and are never under any circumstances shared with Let’s Encrypt. That said, I assume you meant account recovery. Account recovery is not yet implemented. It was originally planned as a way to ensure that the Proof of Possession challenge wouldn’t completely prevent people from issuing certificates, but since PoP is not implemented, account recovery is lower priority.

However, there’s another good reason you might want to change the email address on an account: So that you get expiration emails. This is supported in the ACME protocol and in the Boulder software: POST a signed update to your account object (aka registration object) with a new value for the Contacts field. However, unfortunately this is not yet implemented in the Python client. We have an open issue for it: https://github.com/letsencrypt/letsencrypt/issues/1215.


#4

@jsha Can you please expand on what

means? Where can I find documentation about where this lives? Are we talking an http request? Is there a command to create this POST update? I mistyped my email address on the very first step of the letsencrypt certonly command on an Ubuntu 16.04 system.

Thanks


#5

May have found a solution:

The command I originally ran:

letsencrypt certonly -a webroot --webroot-path=/home/deploy/MY_RAILS_APP/public -d MY_DOMAIN --dry-run

That command brought up a full-screen, blue-backgrounded wizard whose first question was “what’s your email address?” (roughly speaking). My answer was MY_INCORRECT_EMAIL@gmail.com.

Subsequent runs of the same command skipped the “what is your email?” step, so I started searching for the question of how to update email.

I was able to move forward by adding the --email flag to the same command:

letsencrypt certonly -a webroot --webroot-path=/home/deploy/MY_RAILS_APP/public -d MY_DOMAIN --dry-run --email MY_CORRECT_EMAIL@gmail.com  

This produced some successful-looking messages so I repeated the command without --dry-run and everything seems to be working now.

Thanks for the great tool!


#6

Late to the party but there’s now support for this. The command I used was certbot register --update-registration.