Moving account from LE to acme_tiny.py


#1

have a site which got its cert back in the closed beta when the official client (the one that runs as root) was the only option. i wanna move it to acme_tiny.py. so i go to get the account key from the official client’s stash, /usr/local/etc/letsencrypt/conf/accounts/acme-blah/directory/ and find blah.json, not account.key.

anyone know how to convert? thanks.


#2

There is a small perl script (import-account.pl) within https://github.com/lukas2511/letsencrypt.sh that should do what you want.

Personally, I did the same, but just created a new account key ( I kept the old one in case I needed to revoke a cert before renewal time, but then just used the new key).


#3

and 12kg of perl libraries i don’t want. sigh. but thanks for the pointer.


#4

You don’t have to run it on your server :wink:

As I said, I just created a new account key, which worked perfectly.


#5

i do not have a system with 50kg of perl.

i have this fear of proliferating account keys and LE one day saying, “you can’t use that key, you got the current cert for this domain with a different key.”


#6

It was fine for me ( no issues using a new key) … and once you are past the expiry date of the old key I can’t see them complaining about that ( would be tricky for the many people who have lost their keys and created new ones :wink: )


#7

not exactly

Parsing account key...
Parsing CSR...
Registering account...
Traceback (most recent call last):
  File "acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "acme_tiny.py", line 85, in get_crt
    "agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf",
  File "acme_tiny.py", line 47, in _send_signed_request
    protected["nonce"] = urlopen(CA + "/directory").headers['Replay-Nonce']
  File "/usr/local/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/local/lib/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/local/lib/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/local/lib/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/local/lib/python2.7/urllib2.py", line 1240, in https_open
    context=self._context)
  File "/usr/local/lib/python2.7/urllib2.py", line 1197, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

#8

Did you generate a new account key ? ( openssl genrsa 4096 > /path/to/your/account.key )


#9

yep

openssl genrsa 4096 > /home/acme/secrets/account.key
chmod 600 /home/acme/secrets/account.key

and then

python acme_tiny.py \
    --account-key \
    secrets/account.key \
    --csr work/domain.csr \
    --acme-dir challenges \
    > work/signed.crt

#10

are you happy to provide the domain name you are trying to get the cert for ? the error looks more related to the certificate verification than the account key.


#11

openssl req -new -sha256 -key secrets/domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:psg.com,DNS:www.psg.com,DNS:bogus.com")) > work/domain.csr


#12

I suspect that the error here is that bogus.com currently has an invalid SSL cert ( because it is pointing at psg.com and just uses psg.com cert )

I know there are ways round this with some of the clients - I’m not sure how with the acme-tiny one though. I’ll have a quick look and see if I can see.


#13

yes, both virt servers on same host. got psg.com cert a while ago, now trying to add the Subject Alternative Name for bogus.com


#14

I suspect if you moved bogus.com to it’s own virtual account ( without a redirect, and no https … or a self signed cert for bogus.com) it would work.

May be worth testing with the staging server, so that you don’t run into the rate limits.


#15

i just tried with the server running a self signed that covered both domains; same result.

i had not thought of the bleeping rate limit; thanks for the reminder.


#16

I assume you changed it back. I’m still getting the LE cert for psg.com on both sites.


#17

ok, psg.com has the LE and bogus.com has the one from my self-signed root
using staging server
same result


#18

Just to check things - can you just try and get a cert ( from the staging server for testing) just for psg.com ? just to confirm that it’s bogus.com giving us the issue :wink:


#19
% openssl req -new -sha256 -key /home/acme/secrets/domain.key -subj "/CN=psg.com" > /home/acme/work/domain.csr

% python acme_tiny.py \
--account-key \
secrets/account.key \
--csr work/domain.csr \
--acme-dir challenges \
> work/signed.crt
Parsing account key...
Parsing CSR...
Registering account...
Traceback (most recent call last):
  File "acme_tiny.py", line 198, in <module>
main(sys.argv[1:])
  File "acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "acme_tiny.py", line 85, in get_crt
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf",
  File "acme_tiny.py", line 47, in _send_signed_request
protected["nonce"] = urlopen(CA + "/directory").headers['Replay-Nonce']
  File "/usr/local/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
  File "/usr/local/lib/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
  File "/usr/local/lib/python2.7/urllib2.py", line 449, in _open
'_open', req)
  File "/usr/local/lib/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
  File "/usr/local/lib/python2.7/urllib2.py", line 1240, in https_open
context=self._context)
  File "/usr/local/lib/python2.7/urllib2.py", line 1197, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

#20

same error ?

I can try duplicating it on one of my accounts …