A while ago, we added the CAA protection mechanism to our DNS, and more recently, we enhanced the LetsEncrypt-related CAA record with account restriction.
Now is already the second time that I ran into renewal issues because of this - as in: LE (correctly) refused a renewal because I forgot that not all boxes use the same account.
It seems that I have the following options
- Remove the account specification from CAA completely (not desired)
- Create CAA records for every account used on any applicable hosts (tends to clobber DNS)
- Sync the hosts such that there is one account to rule them all (sounds best to me)
My current solution is the second option, but I'd like to switch to the third.
Q1: Is there any reason to think that the third option is actually a horrible idea?
I know that the accounts are represented by three files "meta.json", "private_key.json", and "regr.json" in folder "/etc/letsencrypt/accounts/(acme hostname)/directory/(random hex code)" and are referenced in the files "/etc/letsencrypt/renewal/(certificate name).conf" as "account = (random hex code)".
This seems to give us two ways to copy an account from server A to server B:
- copy "/etc/letsencrypt/accounts/(acme hostname)/directory/(random hex code on A)" from server A to server B and edit all applicable renewal configurations to show "account = (random hex code A)" instead of "account = (random hex code B)"
- or copy the three files in "/etc/letsencrypt/accounts/(acme hostname)/directory/(random hex code on A)" on server A into "/etc/letsencrypt/accounts/(acme hostname)/directory/(random hex code on B)" on server B, overwriting the existing files
I wonder:
Q2: Is either (or both) of these methods is valid?
For example, I see that "meta.json" contains a "creation_host" field, so ...
Q3: Does it cause problems if the creation_host value does not reflect the current host?
Q4: And will later invocations of certbot automatically pick the copied account (which one does it pick if there are several accounts)?
Q5: Is there any problem with the method described in case the certbot versions on server A and server B differ?
Thanks in advance for your awesome replies
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: redeker.de
I ran this command: (automated certificate renewal)
It produced this output: CAA record for redeker.de prevents issuance
(in /etc/letsencrypt/letsencrypt.log)
My web server is (include version): Apache/2.4.52
The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 2.3.0