Migrate existing certificates to new account id

I'm working in an older environment that uses Caddy server with an s3 storage module to issue/renew around ~100 certificates (v1 environment). We're in the process of migrating this configuration from our old cloud provider to AWS, using DynamoDB to store the certificates (GitHub - silinternational/certmagic-storage-dynamodb: DynamoDB storage implementation for CertMagic), which we can refer to as the v2 environment.

The v1 and v2 environments have different Lets Encrypt account ids. I plan on copying all of the v1 certificates and keys to DynamoDB in the v2 environment instead of issuing new ones.

I am seeking clarification on the following:

  1. Are there any problems with this approach?
  2. Will the copied certificates using the v2 environment be eligible for renewal using the new account id?
  3. Are there any conflicts between the same certificates being used with a new account id?

Happy to provide additional clarification. Thank you!

2 Likes

I moved this to Help, as it will get more attention there. :slight_smile:

1 Like

Will do. Thanks!

I plan on copying all of the v1 certificates and keys to DynamoDB in the v2 environment instead of issuing new ones.

That's the right thing to do

You don't really need to worry about the account ids. The account ids/keys are really only necessary for revoking.*

  1. Are there any problems with this approach?

None that I see.

  1. Will the copied certificates using the v2 environment be eligible for renewal using the new account id?

Yes. The account id is relatively insignificant in your context.

  1. Are there any conflicts between the same certificates being used with a new account id?

The only tangible difference you'll see is that validated challenges for a domain are cached to an account-id, but this is more likely to surface errors than cause them.

* Accounts can do a lot of things, but within the scope of your situation... all that stuff is most likely irrelevant. There are many slight nuances and details with account ids and that I did not bother to go into.

7 Likes

Thank you so much for the detailed reply. I feel reassured now!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.