How to use multiple accounts with Certbot?


#1

Is it possible to use multiple accounts with Certbot?


#2

Hi @toc-rox

yes, it’s possible. There are users with screenshots.

Certbot asks, which account should be used.

And there is an

 --account ACCOUNT_ID

you can use.


#3

You mean multiple accounts against a single ACME server, right?

Certbot does support this, but only partially. If you copy multiple account directories into /etc/letsencrypt/accounts/{server}/directory (say, from different servers), then Certbot will prompt you to choose one, when using that ACME server.

You can also specify --account xxxxx, where the value is the name of the directory for that account.

However, I don’t think Certbot allows you to actually create multiple accounts against a single ACME server. The register command complains:

There is an existing account; registration of a duplicate account with this command is currently unsupported.


#4

Yes, that’s right … and thanks for the responses so far.


#5

Can you explain the use case for having/using multiple accounts on the same system?

I’m trying to think of ways to force it…
But wondering why?
What is to be gained?

Since, they are FREE to get and are basically “disposable”.
And even email communications can be tied to specific domains (so even one account can still serve many email recipients - like from an HSP perspective).


#6

Do you have multiple mail addresses? If yes, why? A typical answer will be: Just to separate things.

BTW: It seems that Certbot doesn’t really support separation. Certbot is a very complex application … too complex in my eyes. It has two basic problems: Certbot has to be backwards compatible and isn’t able to loose wait. And on the other hand it seems a bit “over-engineered” (autoload, plugins, …). I wonder how a version 1.0.0 will look like.


#7

Multiple mail addresses and multiple accounts are different things.
I think certbot can do multiple email addresses within the same account.
So… do you really need multiple accounts or just more than one email address per account (like to have a specific email addresses linked to a specific cert)?


#8

Multiple accounts are indeed required to properly separate things.


#9

I think you may find the best result for your need is to interact with the available APIs (directly bypassng the certbot app/interface).
[instead of trying to force certbot to do things it really is not readied for]
I don’t use them myself, so I wouldn’t be able to assist you there; but there are others who can.
See: https://letsencrypt.readthedocs.io/en/latest/api.html

OR
I suppose you could force certbot to hold multiple accounts by combining folders from different systems (containing different accounts).
Or if you are really daring… force it to do that in the same system.
In any case, you would probably be the first/only one to do anything like this (on purpose); So don’t take anything below as an actual recommendation.
Possible method:

  • Move/rename the local accounts folder and force it to create new accounts (as many as needed)
  • Then combine all accounts into one single folder.

Side-effects may include:

  • Finding help with any related trouble encountered may be even more difficult than usual.
  • Automated commands may have to include an “use this specific account tag” for each action.

And all I can find, relating to anything close to that, is on “–account” / “ACCOUNT_ID” but that only relates to the “unregister” command. Which is the exact opposite of what you want.
[(again) NOT RECOMMENDED. “Kids: Don’t try this at home!”]


#10

Yes, I agree. Certbot isn’t an ideal choice if one needs multiple accounts. The lego client has much better support for this. I think I will go with the lego client or the excellent lego library (in order to write my own client).


#11

This post was flagged by the community and is temporarily hidden.