I’ve been integrating and testing an automated renewal system for my website (I’m using Rails on Heroku, so getting certificates through Certbot is a messy
certonly affair). To do that, I extracted the
private_key.json file from a subdirectory of
/etc/letsencrypt/accounts, converted it to PEM, and checked it in to my source repository.
I thought that when I did this, I put a passphrase on the PEM file so the repository alone couldn’t grant access to my Let’s Encrypt account. However, I later discovered that it somehow was not passphrased, and so my account’s private key is unprotected in my repository. Embarrassing, but it happens sometimes.
This is not an immediate disaster—as far as I know, my source code hasn’t leaked—but it does call for me to replace my account key with one that’s still secret just in case it leaks later. How do I do that? I can’t seem to find a command in Certbot or a feature on the Let’s Encrypt website that would perform this task.
(I’m using certbot 0.9.3 on macOS Sierra to manage the account. What I’m doing on the server probably isn’t relevant to this question, but there I’m using the acme-client gem version 0.3.7.)