Registered, cert request still says needs account registered?

My domain is: n/a for this question

I ran this command: sudo /usr/local/bin/certbot show_account

It produced this output:

Account details for server https://acme-v02.api.letsencrypt.org/directory:
  Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/15xxxxxx
  Account Thumbprint: abcdefPLjU7D8...123456789
  Email contact: my-email@mycorp.com

So in theory the registration process is complete. However, when trying to request a certificate certbot says the registration hasn't been completed:

$ sudo /usr/local/bin/certbot certonly --non-interactive --dns-route53 -d 'stagingcert.mycorp.com' --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

without the --non-interactive flag, certbot prompts. This is inline with the idea that certbot thinks the registration is incomplete.

It's not a huge deal - I can always specify the extra args on every certbot command, but I think I'm doing something wrong if that's necessary?

Without the --non-interactive flag, and answering the prompts certbot otherwise runs fine - gets the certificates properly, behaves as expected etc.

My web server is (include version): certonly/manual

The operating system my web server runs on is (include version):

RHEL (Rocky) 9, using the snap version of certbot (2.8.0)

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is: 2.8.0

The account for staging is different than the account for production.

I think you might want to certbot register with --staging to set up your staging account, and can do certbot show_account --staging to see it, though I haven't tried it myself.

7 Likes

The account for staging is different than the account for production.

Thanks for pointing that out. I added staging into the mix to do some scripting/testing and didn't catch my mistake that I needed to register with staging. Good call.

3 Likes

I'm curious if the --dry-run option also requires a separate registration of the staging account.. :thinking:

1 Like

I think it should.
It runs through the exact same process as a cert issuance - it just discards the event.
[i.e. the cert issuance process requires an account]

1 Like

Sure, let me rephrase: does it in the case of a --dry-run also complain/ask the user for more info when trying to register a staging account? Or does it simply register one without an email address for example?

2 Likes