Renewing certificate ... getting confusing messages

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: policy.animaljusticeparty.org

I ran this command: sudo certbot certonly -d policy.animaljusticeparty.org

It produced this output:

Please choose an account


1: ip-172-31-6-249.ap-southeast-2.compute.internal@2019-06-11T08:36:18Z (5039)
2: ip-172-31-6-249.ap-southeast-2.compute.internal@2019-08-29T06:09:28Z (97c9)


My web server is (include version): nginx 1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I have two letsencrypt licences … one for d3.geoffrussell.com.au and one for policy.animaljusticeparty.org … is that what it means by two accounts? In any case, the d3 host is not the same as the policy host so I don’t understand why any files on the policy host have any information on the d3 host. So I’ve no idea what the message means???

I just picked an account at random and the renewal worked …meaning my browser gets the right expiry date!

Cheers,
Geoff

1 Like

That’s weird. What does this show:

sudo find /etc/letsencrypt/accounts -type d
sudo grep -R "server =" /etc/letsencrypt/renewal/
1 Like

Thanks for your help …

| _az
June 24 |

  • | - |

That’s weird. What does this show:

sudo find /etc/letsencrypt/accounts -type d

sudo grep -R "server =" /etc/letsencrypt/renewal/

Visit Topic or reply to this email to respond.

To unsubscribe from these emails, click here.

ubuntu@ip-172-31-6-249:~ sudo find /etc/letsencrypt/accounts -type d /etc/letsencrypt/accounts /etc/letsencrypt/accounts/[acme-v01.api.letsencrypt.org](http://acme-v01.api.letsencrypt.org) /etc/letsencrypt/accounts/[acme-v01.api.letsencrypt.org/directory](http://acme-v01.api.letsencrypt.org/directory) /etc/letsencrypt/accounts/[acme-v01.api.letsencrypt.org/directory/97c9665d283e2ea23372280b52cbced2](http://acme-v01.api.letsencrypt.org/directory/97c9665d283e2ea23372280b52cbced2) /etc/letsencrypt/accounts/[acme-v02.api.letsencrypt.org](http://acme-v02.api.letsencrypt.org) /etc/letsencrypt/accounts/[acme-v02.api.letsencrypt.org/directory](http://acme-v02.api.letsencrypt.org/directory) /etc/letsencrypt/accounts/[acme-v02.api.letsencrypt.org/directory/50394c103d9851967bde7d22525c05d6](http://acme-v02.api.letsencrypt.org/directory/50394c103d9851967bde7d22525c05d6) ubuntu@ip-172-31-6-249:~ sudo grep -R “server =” /etc/letsencrypt/renewal/
/etc/letsencrypt/renewal/mattermost.animaljusticeparty.org.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/policy.animaljusticeparty.org.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/policy.geoffrussell.com.au.conf:server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/chat.animaljusticeparty.org.conf:server = https://acme-v02.api.letsencrypt.org/directory
ubuntu@ip-172-31-6-249:~$

Ah … the mattermost license was installed by somebody else and I’d forgotten about it.

The policy.geoffrussell and chat.animaljusticeparty licenses should have expired and are no longer used/required.

It would appear that the v01 account is redundant??

Cheers,
Geoff

1 Like

ACME v1 is indeed redundant, but I do not think it’s the cause of this prompt.

I think this prompt might be coming up because you have two ACMEv2 accounts:

  1. 97c9, which is your ACME v1 account which has been “upgraded” to ACME v2 via an aliasing/symlink mechanism.
  2. 5039, an ACME v2 account which was registered separately.

I’m not sure whether it is intended for Certbot to prompt you in this instance or not. I have a suspicion that it isn’t and that it’s related to a recent change. So I can look at this further, could you also share the version of Certbot you are using:

sudo certbot --version
1 Like

@bmw could @_az’s concern be right that there is some sequence of events that can, or could, cause you to automatically get redundant accounts in this case?

1 Like

The only cases I can immediately think of where people could get this setup are:

  1. If the user had used Certbot 0.22.0 to 0.25.1 with Let’s Encrypt’s ACMEv2 endpoint by manually setting --server on the command line.
  2. Running an old version of Certbot that defaulted to ACMEv1 (or manually setting --server to the ACMEv1 URL) after an ACMEv2 account is created.
  3. Manually combining /etc/letsencrypt directories to do something like copy a setup from another server.

There may be other cases I’m not aware of though.

Once this setup is created, Certbot prompting you about which account to use is expected. The code that does this is very old and people don’t hit it often because Certbot (at least normally) doesn’t let you create multiple accounts for the same server, but the code exists.

My current version of certbot is …
ubuntu@ip-172-31-6-249:~$ sudo certbot --version
certbot 0.31.0

But I think I upversioned it last time I had to generate a licence … so whatever is screwy may have happened with a previous
version.