Locating the MAC key for a LetsEncrypt account created by cert-manager

My LetsEncrypt account id is: 77079176

I am trying to use a fixed ACME account id with cert-manager and LetsEncrypt in order to have higher rate limits across multiple Kubernetes clusters.

I am trying to follow the documentation for ExternalAccountBindings here: https://cert-manager.io/docs/configuration/acme/#external-account-bindings

For reference: External Account Bindings require three fields on an ACME Issuer which represents your ACME account. These fields are; the keyID of which your external account binding is indexed by the external account manager, keySecretRef which references a secret containing a base 64 encoded URL string of your external account symmetric MAC key, and finally keyAlgorithm , the MAC algorithm used to sign the JSON web string containing your External Account Binding when registering the account with the ACME server.

I have my account id, but I do not know the MAC key, or its algorithm.
Cert-manager version is 1.16.

How can I locate this information?

Let’s Encrypt does not use External Account Bindings.

Some CAs do, like Sectigo, and those EAB credentials are available from the CA’s web interface. This allows you to have multiple independent ACME accounts that are all associated with a single external account/identity.

If you want to use the same Let’s Encrypt account on multiple machines, the only credential you need to copy is the account key.

Looking at cert-manager, it seems like all you have to do is ensure that the issuer’s privateKeySecretRef points to the same private key on all clusters. Looking at https://github.com/jetstack/cert-manager/issues/2990, it looks like doing that (sharing the secret between clusters) might not be possible today.

1 Like

Thanks for the fast reply, I have the ability to create an identical Secret across multiple clusters, and will give that approach a try by providing privateKeySecretRef explicitly.

Ok, if I’m not using an ExternalAccountBinding, how should I provide cert-manager with my pre-existing LetsEncrypt account id?

In ACME, the account ID is usually automatically discovered using the account private key. So usually all you have to do is feed the right private key in to your client.

Based on munnerz response on the issue tracker, I am suspecting that it’s not possible to provide an existing private key to cert-manager.

You could try asking in that issue or in their Slack channel.

Confirmed that it selected the correct ACME account ID was selected automatically. Cool and spooky.
Thank you for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.