have a site which got its cert back in the closed beta when the official client (the one that runs as root) was the only option. i wanna move it to acme_tiny.py. so i go to get the account key from the official client’s stash, /usr/local/etc/letsencrypt/conf/accounts/acme-blah/directory/ and find blah.json, not account.key.
Personally, I did the same, but just created a new account key ( I kept the old one in case I needed to revoke a cert before renewal time, but then just used the new key).
i have this fear of proliferating account keys and LE one day saying, “you can’t use that key, you got the current cert for this domain with a different key.”
It was fine for me ( no issues using a new key) .... and once you are past the expiry date of the old key I can't see them complaining about that ( would be tricky for the many people who have lost their keys and created new ones )
Parsing account key...
Parsing CSR...
Registering account...
Traceback (most recent call last):
File "acme_tiny.py", line 198, in <module>
main(sys.argv[1:])
File "acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "acme_tiny.py", line 85, in get_crt
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf",
File "acme_tiny.py", line 47, in _send_signed_request
protected["nonce"] = urlopen(CA + "/directory").headers['Replay-Nonce']
File "/usr/local/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/local/lib/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/local/lib/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/local/lib/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/usr/local/lib/python2.7/urllib2.py", line 1240, in https_open
context=self._context)
File "/usr/local/lib/python2.7/urllib2.py", line 1197, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
are you happy to provide the domain name you are trying to get the cert for ? the error looks more related to the certificate verification than the account key.
I suspect that the error here is that bogus.com currently has an invalid SSL cert ( because it is pointing at psg.com and just uses psg.com cert )
I know there are ways round this with some of the clients - I’m not sure how with the acme-tiny one though. I’ll have a quick look and see if I can see.
Just to check things - can you just try and get a cert ( from the staging server for testing) just for psg.com ? just to confirm that it’s bogus.com giving us the issue