Site secured but dry run is telling me the account does not exist

Perfect. Thanks for your patience @_az. I'm learning.

1 Like

I removed the account line in the ini file and ran...

/root/certbot/certbot-auto certonly -n --keep -c lhsouthbury.com.ini --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Missing command line flag or config entry for this setting:
Please choose an account :stop_sign:
Choices: ['ip-172-30-1-134.ec2.internal@2018-09-06T02:13:16Z (f74a)', 'ip-172-30-1-43.ec2.internal@2018-09-06T02:53:49Z (a30a)', 'ip-172-30-1-170.ec2.internal@2018-09-12T16:40:31Z (10a3)']

Since it was asking me to choose an account I went back into accounts and found the correct one it should be using. We manage sites on 2 different servers, but not sure why their letsencrypt accounts are both on here (or how we ended up with so many different accounts). At one point we had a synced ssl cert, I'm guessing that might be part of the reason.

I specified the correct account in the ini file and ran it again...

/root/certbot/certbot-auto certonly -n --keep -c lhsouthbury.com.ini --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lhsouthbury.com
http-01 challenge for www.lhsouthbury.com
Using the webroot path /ebs/files/www/0000_DEFAULT/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • The dry run was successful.

:stop_sign: EDITING THIS bc I don't want to send anyone down the wrong road later

@_az @griffin but what is staging-v2 vs acme-v2, is it bad that this worked?

listed accounts in each dir:

PRODUCTION
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
10a37b5f009e9c7272c26e6ca7483766/
a30a82b6c95115845eb64d71dc4edb11/
f74a9bad0648afe4f8e9395762eeec44/

STAGING
/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory
c2a0bc5d359ddfb335ddb8f4db4cff25/ :arrow_left: the account that worked
cd241a1b5a9a82e9b3e9b97a841440e3/

2 Likes

Please, please, please try the command I gave you though. You can add --dry-run to it to test it too. The command you are using (and the use of the .cli file AT ALL) are really outdated. You don't need the .cli file in the modern architecture. All of the configuration for each certificate is saved with the individual certificate.

I think this will cause your non-dry-run renewals to break.

If you want to put account = f74a9bad0648afe4f8e9395762eeec44 somewhere, put it in your /etc/letsencrypt/renewal/*.conf files.

It doesn't belong in the -c/.ini file.

Edit: and I suspect those account lines are already in there anyway. If you try dry-run like this, it doesn't ask you for an account, does it?

certbot renew --cert-name lhsouthbury.com --dry-run
1 Like

If you run the command I specified, it will create/update the .conf for the certificate for you.

1 Like

Staging is the testing server invoked with --dry-run. Without it you get the production (real) server. You don't get usable certificates from staging, but you don't get rate-limited if you screw up. :upside_down_face:

1 Like

Aw, I see okay. Yes, I would like to keep up with the times. Since it is bothering me about specifying an account, I see that _az mentioned putting it somewhere in the conf file instead.

1 Like

You shouldn't need to put it anywhere. Notice the command I specified has no -c ? Try it. Let's see what happens. Add --dry-run though.

/root/certbot/certbot-auto renew --cert-name lhsouthbury.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/lhsouthbury.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Attempting to renew cert (lhsouthbury.com) from /etc/letsencrypt/renewal/lhsouthbury.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['ip-172-30-1-170.ec2.internal@2019-02-08T18:45:57Z (cd24)', 'ip-172-30-1-43.ec2.internal@2019-02-11T23:37:28Z (c2a0)']. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lhsouthbury.com/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lhsouthbury.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

1 Like

Let's try certbot unregister to get rid of some unneeded accounts. The ACME account doesn't really store anything critical. Your certbot command and the certificate itself contain everything you need.

Good idea bc this just happened, I am seeing different accounts for acme-v2 and acme-staging-v2

/root/certbot/certbot-auto certonly --cert-name lhsouthbury.com -a webroot -w /ebs/files/www/0000_DEFAULT/public/ -d lhsouthbury.com,www.lhsouthbury.com --email ssl@yolocare.com --keep
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

Please choose an account


1: ip-172-30-1-134.ec2.internal@2018-09-06T02:13:16Z (f74a)
2: ip-172-30-1-43.ec2.internal@2018-09-06T02:53:49Z (a30a)
3: ip-172-30-1-170.ec2.internal@2018-09-12T16:40:31Z (10a3)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Cert not yet due for renewal
Keeping the existing certificate


Certificate not yet due for renewal; no action taken.


DRY RUN:
/root/certbot/certbot-auto certonly --cert-name lhsouthbury.com -a webroot -w /ebs/files/www/0000_DEFAULT/public/ -d lhsouthbury.com,www.lhsouthbury.com --email ssl@yolocare.com --keep --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

Please choose an account


1: ip-172-30-1-170.ec2.internal@2019-02-08T18:45:57Z (cd24)
2: ip-172-30-1-43.ec2.internal@2019-02-11T23:37:28Z (c2a0)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lhsouthbury.com
http-01 challenge for www.lhsouthbury.com
Using the webroot path /ebs/files/www/0000_DEFAULT/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • The dry run was successful.
1 Like

You will have different accounts. They're independent systems.

Honestly I would certbot unregister all of them just to be safe and start fresh.

Okay, and to clarify this won't disrupt my current certificates? Bc I have about 200+ sites on here :grimacing:

1 Like

When you run certbot certificates there are 200+ entries?

I see the bug now! :smile:

The account line in your .cli file was forcing the dry run to use a production account, which isn't on the staging server. :rofl:

The italicized account is not a staging server account.

So the .cli file is a global configuration file, which is an old and architecturally-incompatible mechanism for specifying parameters. In the modern architecture, the configuration parameters for each certificate are stored separately in their own files.

The account really means nothing. It can be created/destroyed pretty-much at will.

Oh my goodness :see_no_evil: okay that makes sense.

2 Likes