How to run certbot instance simultaneously without creating account for each

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Any domain pointed to our server. I'm generating certificates for each domain inputs in our system.

I ran this command: certbot certonly --manual --manual-auth-hook ./authenticator.sh --manual-cleanup-hook ./cleanup.sh --agree-tos --manual-public-ip-logging-ok --config-dir ./.tmp/{hostname}/config --logs-dir ./.tmp/{hostname}/logs --work-dir ./.tmp/{hostname}/work -d {hostname} -m ${email} -n

It produced this output: It's working fine but eventually It will hit the "too many registrations for this IP address" limit.

My web server is (include version): Nodejs http. I'm using the manual mode.

The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

2 Likes
2

Welcome to the Let's Encrypt Community, Luis :slightly_smiling_face:

I recommend starting here:

1 Like
3

Yeah I've already read that. But how can you actually do this?

In ACME, it’s possible to create one account and use it for all authorizations and issuances, or create one account per customer.

Do I certbot register then --account to my certbot certonly command?

Also I'm running this in a container.

3 Likes
4

Running from within a container is one of the tricky scenarios we're often presented with here. The best way to handle accounts (and certificates) in this type of setup is to create the account(s) up front and import the credentials into the containers. The same applies to certificates for domain names that are being re-used.

3 Likes
5

Doing these things are crucial to keep you from running afoul of the rate limits:

2 Likes
6

Oh okay but how can i point the created account (let's say main account) when I'm using separate directories for each domain on each issuance?

Like these:
--config-dir ./.tmp/{hostname}/config --logs-dir ./.tmp/{hostname}/logs --work-dir ./.tmp/{hostname}/work

what option do i need to attach to point to the main account?

2 Likes
7

I don't believe that you do. As long as you're using the same installation of certbot, the same account will be used for all executions. In essence, once you've created an account, strip away all the extra parameters for account creation and management from your command.

This:

certbot certonly --manual --manual-auth-hook ./authenticator.sh --manual-cleanup-hook ./cleanup.sh --agree-tos --manual-public-ip-logging-ok --config-dir ./.tmp/{hostname}/config --logs-dir ./.tmp/{hostname}/logs --work-dir ./.tmp/{hostname}/work -d {hostname} -m ${email} -n

becomes this:

certbot certonly --manual --manual-auth-hook ./authenticator.sh --manual-cleanup-hook ./cleanup.sh --config-dir ./.tmp/{hostname}/config --logs-dir ./.tmp/{hostname}/logs --work-dir ./.tmp/{hostname}/work -d {hostname} -n

You might want a --preferred-challenges in there somewhere too.

The idea here is just to duplicate the credentials between the folders for each instance. That way you're not creating a new account. Consider it like making photocopies of an ID badge. The Let's Encrypt server doesn't care if you use the same account with 500 instances (as long as you're within the rate limits).

2 Likes
8

The global configuration file is really your friend here. You CAN specify your credentials in that file. :grin: This should save you the hassle of duplicating many things.

3 Likes
9

This is the Dockerfile

FROM node:14.15.4-buster

WORKDIR /srv/node

RUN apt update && \
  apt install -y curl certbot  && \
  apt clean

RUN certbot register -m email@gmail.com --agree-tos -n

COPY ./certs /srv/node/certs
COPY ./build /srv/node/build
COPY ./package.json /srv/node/package.json
COPY ./package-lock.json /srv/node/package-lock.json
COPY ./authenticator.sh /srv/node/authenticator.sh
COPY ./cleanup.sh /srv/node/cleanup.sh
COPY ./certbot-account /srv/node/certbot-account

RUN npm install --production && mkdir tokens

EXPOSE 80
EXPOSE 443

CMD npm start

as you can see the main account will be generated at
RUN certbot register -m email@gmail.com --agree-tos -n

But removing -m actually throws an error :confused:. I'll try again thanks for responding.

3 Likes
10

Did you also remove the email address?

1 Like
11

Ohhh that might be the answer :star_struck:

3 Likes
12

Yeah. Dockerfolk are usually pretty happy with that. It's quite powerful (at creating headaches) so use it wisely.

2 Likes
13

I've gotta run for now. There are many others around here who could pick this up in the meantime to help.

1 Like
14

Okay thanks griffin.

3 Likes
15

You're quite welcome! :blush:

Happy experimenting!

3 Likes
16

Running multiple instances of Certbot at the same time, against the same configuration directory, is unsafe.

Certbot uses a lockfile to prevent this scenario.

Some approaches you can use:

  • Serialize your use of Certbot so that only one copy of it is running at once. Put requests into a queue, and process the queue one at a time.
  • Run Certbot concurrently, but against different configuration directories (e.g. one per tenant). You could copy the accounts/ directory so that each instance of Certbot is still technically using the same ACME account.
  • (My recommendation): don't use Certbot at all if you are doing things programmatically. Find an ACME library for Node.js and obtain certificates using the API. Since you've already written the auth hooks, you've done the hard part. The rest is just some basic function calls.
6 Likes
17

Someone might have the same approach so I'll share what I did.

  • Created a main account: certbot register -m email@gmail.com --agree-tos -n
    It will produce the account in /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/MAIN_ACCOUNT(its hashed)
    Now you can freely copy and rename the MAIN_ACCOUNT anywhere in the host or in another machine.

  • Copied the MAIN_ACCOUNT in the root directory of our system/project and renamed it to certbot-account

  • Then attach --account /path/to/certbot-account on our certbot command
    certbot certonly --manual --manual-auth-hook ./authenticator.sh --manual-cleanup-hook ./cleanup.sh --agree-tos --manual-public-ip-logging-ok --config-dir ./.tmp/{hostname}/config --logs-dir ./.tmp/{hostname}/logs --work-dir ./.tmp/{hostname}/work -d {hostname} -m --account /path/to/certbot-account -n
    This time it will not create a new account because you are pointing it to the certbot-account.

Note: I'm using certbot 0.40.0 --account /path/to/account may not work on lower versions because it doesn't recognize the path and you will encounter Account IDS mismatch. IDK :thinking:

3 Likes
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.