I'm in the process to migrate to certbot as the acme client and intende to run it in certonly mode.
Upon reading the man page/ help output I stumbled over the --register-unsafely-without-email flag for which the help states:
--register-unsafely-without-email
Specifying this flag enables registering an account
with no email address. This is strongly discouraged,
because in the event of key loss or account compromise
you will irrevocably lose access to your account. You
will also be unable to receive notice about impending
expiration or revocation of your certificates. Updates
to the Subscriber Agreement will still affect you, and
will be effective 14 days after posting an update to
the web site. (default: False)
Unfortunately this help text only partly explains its implications.
I was wondering: What's the broader picture here? It states that I could lose access to my account, but which account? What does the account allow me to do and what are the implications of losing it? Can't I just create a new one? Will I still be able to create certificates for a domain used by a previous account in this case?
I think my current client is just running it without an email, but since this is strongly discouraged I wished that the help text was giving more details about the account part.
From a high level: it's important that your ACME account is kept secure, but it doesn't matter at all if you lose access to it.
On the point of security, if somebody manages to steal your account, somebody might be able to create an unauthorized certificate for a domain which you secured previously.
On the point of losing access to your account, it doesn't really matter. For example, if your server was re-installed and took your ACME account with it, you could just create a new one and continue creating certificates for the same domains. This happens all the time. The old account would just become irrelevant.
Finally, the main reason you are asked to register your email address is so that:
You can receive email warnings if your certificates are about to expire, which indicates that Certbot's automated renewal is not working and needs your attention.
Let's Encrypt is able to contact you individually if there is a need. For example, if you are using a buggy client, or if there was some kind of incident affecting your certificates.
The email address doesn't actually have any control over your account, it's used only for notification purposes.
We've seen on this forum that being able to get these notifications is very, very useful, unless you're using some other form of active monitoring of your own certificates and renewals. (I think the knowledge that there could be changes on the CA side that require actions or updates by the user was part of why this Certbot option calls it "unsafe" not to share an e-mail address with the CA.)
So why does it say that if I don't provide an email, that "in the event of … account compromise you will irrevocably lose access to your account"? Even if I do provide an email, an adversary with my account key could still change the key and I'd lose access to the account, right? Is there some password-reset via email type concept that's being envisioned here? Since I didn't think that was how ACME worked. (And an adversary with my account key could change both the key and the email address fairly easily anyway, right?)
Your argument has always made total sense to me, Peter. I feel like ACME accounts are basically "throwaway" constructs with a portrayed illusion of security. As the ACME account email address is entirely omissible and readily mutable (yet not removable?) with possession of the ACME account key, there really is no process to monitor the integrity of an ACME account from an owner's perspective. Even cPanel has checkbox settings that notify the owner of changes via a specified email address (even if those changes are to the notification settings themselves). I have never received an email about my ACME account email address being modified, so I'm not sure if there's even a policy mechanism in place there. I know for sure there's no confirmation of addition or change of an ACME account email address. In case everyone is not aware, a change to an ACME account email address applies to all certificates issued by the ACME account, not just certificates issued subsequent to the change. From an attacker's perspective, it's a bit like a ninja cutting the power to the building before striking the target. The ninja can even restore the power after the strike (by reinstating the previous email address). All that remains is a pile of mangled certs that may not be found until it's far too late.
And just to be clear, I'm just nitpicking the exact wording in certbot, I do agree that it's a good idea to associate an email with your account so that you can get expiration notices, API breakage notices (like I got when TLS-SNI-01 validation was removed), incident notification, and so forth. I find it odd that @AnonymousRhino's prior client (whatever it was) wouldn't have a similar warning about not providing an email.
That help text is out-of-date and the help text printed by the current version of Certbot says:
--register-unsafely-without-email
Specifying this flag enables registering an account
with no email address. This is strongly discouraged,
because you will be unable to receive notice about
impending expiration or revocation of your
certificates or problems with your Certbot
installation that will lead to failure to renew.
(default: False)
If you're curious why it used to say that, check out Contact-Based Recovery from early draft versions of the ACME spec.
I was previously using a former version of dehydrated. Meanwhile, I replaced it with one I implemented on my one, that I'm again replacing, but dehydrated still doesn't mention anything about the e-mail on the githubpage. I also don't bother a lot about the e-mail notifications.
Yes, you're right the packaged version of certbot is quite a bit older. I should've checked that, as the newer text sounds a lot less alarming