Migrating to new Account ID

Help
1

My domain is: crm.cloud.sap

For rate limit purposes we have been requested to create a new account ID and migrate our certificates to it.

Currently we are using Python for the renewal, at the end we have an email associated with the Let’s Encrypt registration which at the end is used to request the certificate.

image
image763×554 50.9 KB

Questions:

How to start the renewal process of our existing certs from the new account ID?

Would I have any conflict if I move to the new account?

Is there a way to associate more than one email address to an account ID, if yes can you please explain how?

Thanks

Raul

1 Like
2

I'm not sure I'm following your question or your code, but just instead of making requests using the previous account, you use the new account. The domain names aren't "tied" to a particular account (at least in the sense of requiring one), any account which can fulfill the challenges can request the certificates for the names.

No, I don't think so. I'm not sure what kind of "conflict" you're thinking of.

From an ACME API perspective, the account object's contact field is an array of strings, so you can just have an array with multiple email addresses. I don't know if whichever library you're trying to use will make that easy for you to do, though.

6 Likes
3

I'm not entirely sure that changing account id will fix any rate limit issues you are currently hitting (depending which one it is). If it was that easy then people would just change their account all the time whenever they hit a rate limit.

Other ways to deal with the issue include:

  • avoid rate limits in the first place
  • apply for rate limit extensions if you legitimately expect that you need to
  • spread renewals across multiple CAs, so if one simply cannot fulfill your request you can try a different one.
2 Likes
4

Ah. I was interpreting the "for rate limit purposes" as meaning that they've worked with Let's Encrypt and are working on consolidating their systems into one account (or maybe a small handful) in order to have a specific rate limit applied. But now that you mention it, some clarification on the actual goals here might be helpful, yes.

5 Likes
5

I also read it like this, as a request from Let's Encrypt.

Without knowing the details of the script(s) used, we can only advise generic things: register a new account, safe it's data and use it from now on.

3 Likes
6

Thanks everyone, we are a big company and we were sharing the certificate at the root domain level, now we are separating by subdomains, that's what I meant with "rate limit purposes"

I will try to make the proposed changes and will let you know if I need additional help.

Thanks again

Raul

1 Like
7

The rate limit for the maximum amount of certs per registered domain do not care about subdomains or accounts.

So you're actually confusing me more :stuck_out_tongue:

Unless rate limit overrides from Let's Encrypt or the domain is on the public suffix list.. :roll_eyes:

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.