Renew certificate failing with invalid account URL

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
we-dev.applaud.work

I ran this command:
sudo certbot renew
--server https://acme-v02.api.letsencrypt.org/directory
--work-dir /home/ubuntu/certs
--logs-dir /home/ubuntu/certs
--config-dir /home/ubuntu/certs
--webroot -w /home/ubuntu/certs/www
--preferred-challenges http

It produced this output:
Processing /home/ubuntu/certs/renewal/we-dev.applaud.work.conf


updating legacy http01_port value
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for we-dev.applaud.work
Attempting to renew cert (we-dev.applaud.work) from /home/ubuntu/certs/renewal/we-dev.applaud.work.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: KeyID header contained an invalid account URL: "https://acme-v02.api.letsencrypt.org/acme/reg/ba5f0d3746ef919defc6730ebf814de4". Skipping.

My web server is (include version):
Nginx

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version
certbot 1.10.1 (snapd installed version)

2 Likes

Hi @sateesh,

Did you upgrade your Certbot from a very old version?

If so, do you remember what version you had before?

2 Likes

My previous version is 0.27.0. I got the same error on the previous version as well, so updated it to new and still getting the same above error.

1 Like

It appears something went wrong with the migration of your Let's Encrypt account from ACMEv1 to ACMEv2.

The first thing I recommend you do is back up your Certbot files:

sudo tar cf /root/certbot.tar /etc/letsencrypt/

Based on a couple of tests, I think you should be able to fix your "invalid account URL" problem by unregistering and reregistering your Let's Encrypt account:

sudo certbot unregister
sudo certbot register

and try the renewal again.

2 Likes

Thank you for the reply. I tried this already and still get the same error message.

1 Like

I would add an extra step after unregister.
List the entire /etc/letsencrypt/ folder:
ls -lR /etc/letsencrypt/
[I think we may find something in there of interest]
If not, then also list this folder:

ls -lR /home/ubuntu/certs

2 Likes
ls -lR /etc/letsencrypt/
/etc/letsencrypt/:
total 12
drwx------ 3 root root 4096 Dec 15 10:48 accounts
-rw-r--r-- 1 root root  142 Sep 30 15:24 cli.ini
drwxr-xr-x 5 root root 4096 Sep  5 04:39 renewal-hooks

/etc/letsencrypt/accounts:
total 4
drwx------ 3 root root 4096 Dec 15 10:48 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 4
drwx------ 3 root root 4096 Dec 15 10:49 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 4
drwx------ 2 root root 4096 Dec 15 12:33 2a0ce3be60027e37343a2da50a69efc9

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/2a0ce3be60027e37343a2da50a69efc9:
total 12
-rw-r--r-- 1 root root  101 Dec 15 10:49 meta.json
-r-------- 1 root root 3169 Dec 15 10:49 private_key.json
-rw-r--r-- 1 root root   79 Dec 15 10:49 regr.json

/etc/letsencrypt/renewal-hooks:
total 12
drwxr-xr-x 2 root root 4096 Sep  5 04:39 deploy
drwxr-xr-x 2 root root 4096 Sep  5 04:39 post
drwxr-xr-x 2 root root 4096 Sep  5 04:39 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 0

/etc/letsencrypt/renewal-hooks/post:
total 0

/etc/letsencrypt/renewal-hooks/pre:
total 0

$ pwd
/home/ubuntu/certs
$ ls -l
total 29256
drwxrwxr-x 3 ubuntu root       6144 Jun 25  2018 accounts
drwxrwxr-x 9 ubuntu root       6144 Sep 21 11:24 archive
drwxr-xr-x 3 root   root       6144 Jul  5  2018 config
drwxr-xr-x 2 ubuntu root      96256 Dec 15 12:30 csr
drwx------ 2 ubuntu root      96256 Dec 15 12:30 keys
-rw-r--r-- 1 ubuntu root   29693705 Dec 15 12:30 letsencrypt.log
drwxrwxr-x 9 ubuntu root       6144 Sep 21 11:24 live
drwx------ 2 ubuntu root       6144 Jul  5  2018 log
drwxrwxr-x 2 ubuntu root       6144 Jul 17 06:59 logs
-rw-r--r-- 1 ubuntu root         85 Feb 12  2019 meta.json
-rw-r--r-- 1 root   root       1143 Feb 12  2019 options-ssl-nginx.conf
-r-------- 1 ubuntu root       1632 Feb 12  2019 private_key.json
-rw-r--r-- 1 ubuntu root         78 Feb 12  2019 regr.json
-rwxrwxr-x 1 ubuntu root        421 Jun 16 10:23 renew-ssl.sh
drwxrwxr-x 2 ubuntu root       6144 Dec 15 12:32 renewal
drwxr-xr-x 5 ubuntu root       6144 Jun 25  2018 renewal-hooks
drwxrwxr-x 2 ubuntu root       6144 Jun 25  2018 snippets
-rw-r--r-- 1 root   root        424 Feb 12  2019 ssl-dhparams.pem
drwxrwxr-x 6 ubuntu ubuntu     6144 Sep 30 14:17 wild-card-certs
drwxr-xr-x 2 root   root       6144 Jul  5  2018 work
drwxrwxr-x 3 ubuntu root       6144 Jun 25  2018 www

We have lot of domains, below command list a lot
ls -lR /home/ubuntu/certs

1 Like

I missed this at first too, but if --config-dir /home/ubuntu/certs is set on the command line, the contents of /etc/letsencrypt shouldn't really be relevant and other Certbot commands need the same flag for them to have an effect on the right files.

@sateesh, to build on and adapt the suggestions above a bit, can you:

  1. Provide the output of:
sudo ls -lR /home/ubuntu/certs/accounts
  1. Also provide the output of:
sudo grep -r ba5f0d3746ef919defc6730ebf814de4 /home/ubuntu/certs
  1. Make a copy of /home/ubuntu/certs by running:
sudo tar cf /home/ubuntu/certs.tar /home/ubuntu/certs
  1. Delete your current Let's Encrypt account by running:
sudo rm -rf /home/ubuntu/certs/accounts/
  1. Recreate your Let's Encrypt account by running:
sudo certbot register --config-dir /home/ubuntu/certs
  1. Remove all account information that Certbot stores in your configuration files with:
sudo sed -i '/^account =/d' /home/ubuntu/certs/renewal/*
  1. Try running the command from your initial post again.
5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.