Not numbered, but I sure do see a lot!
1 Like
Tell you what, blast the 2 oldest regular accounts and the oldest staging account with certbot unregister. That should simplify life immensely. You really want to get all of these certificates under single accounts for both staging and production. You can acquire/renew a certificate with ANY account. It's not like an account owns a certificate.
Looks like this:
certbot-auto unregister --account ACCOUNT_ID
I see these:
1: ip-172-30-1-170.ec2.internal@2019-02-08T18:45:57Z (cd24)
2: ip-172-30-1-43.ec2.internal@2019-02-11T23:37:28Z (c2a0)
1: ip-172-30-1-134.ec2.internal@2018-09-06T02:13:16Z (f74a)
2: ip-172-30-1-43.ec2.internal@2018-09-06T02:53:49Z (a30a)
3: ip-172-30-1-170.ec2.internal@2018-09-12T16:40:31Z (10a3)
Notice the first 4 digits in parentheses at the end?
So...
/root/certbot/certbot-auto unregister --account cd241a1b5a9a82e9b3e9b97a841440e3
/root/certbot/certbot-auto unregister --account f74a9bad0648afe4f8e9395762eeec44
/root/certbot/certbot-auto unregister --account a30a82b6c95115845eb64d71dc4edb11
Then run:
/root/certbot/certbot-auto certonly --cert-name lhsouthbury.com -a webroot -w /ebs/files/www/0000_DEFAULT/public/ -d lhsouthbury.com,www.lhsouthbury.com --email ssl@yolocare.com --keep --dry-run
It should not ask you for an account. If that works then run:
/root/certbot/certbot-auto certonly --cert-name lhsouthbury.com -a webroot -w /ebs/files/www/0000_DEFAULT/public/ -d lhsouthbury.com,www.lhsouthbury.com --email ssl@yolocare.com --keep
Note that --keep will prevent you from acquiring a new certificate if the current certificate is far from the expiration date.
/root/certbot/certbot-auto unregister --account cd241a1b5a9a82e9b3e9b97a841440e3
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Are you sure you would like to irrevocably deactivate your account?
(D)eactivate/(A)bort: D
Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/cd241a1b5a9a82e9b3e9b97a841440e3 does not exist
bc of the acme-v1, I figured now would be a good time to remove any certbot packages...
sudo apt-get remove certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'certbot' is not installed, so not removed
...not quite sure what to do here.
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
/root/certbot/certbot-auto --version
certbot 1.8.0
Can I unregister the whole account since it is acme-v1?
1 Like
I'm not sure what you mean by whole account, but we are trying to unregister 3 whole accounts. 
I think you may be OK as far as old certbot versions. That's what I was establishing with _az earlier. The problem is that the migration carried some artifacts with it in the directories and such.
I did some research. What folders do you have inside these four folders?
/etc/letsencrypt/accounts/acme-staging-v01.api.letsencrypt.org/directory
/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
This is all that is in accounts, no acme-v1. Hmm...
/etc/letsencrypt/accounts
ls -la
total 16
drwx------ 4 root root 4096 Jul 15 19:17 .
drwxr-xr-x 9 root root 4096 Sep 26 00:36 ..
drwx------ 3 root root 4096 Jul 15 19:17 acme-staging-v02.api.letsencrypt.org
drwx------ 3 root root 4096 Jul 15 19:17 acme-v02.api.letsencrypt.org
1 Like
Based on these:
/etc/letsencrypt/account/acme-v01.api.letsencrypt.org/directory/f74a9bad0648afe4f8e9395762eeec44/
/etc/letsencrypt/account/acme-staging.api.letsencrypt.org/directory/f74a9bad0648afe4f8e9395762eeec44/
I would say there's a symlink somewhere...
Tell me what you see inside of those 4 folders, if you would be so kind.
/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory
ls -la
drwx------ 2 root root 4096 Jul 15 19:17 c2a0bc5d359ddfb335ddb8f4db4cff25
drwx------ 2 root root 4096 Jul 15 19:17 cd241a1b5a9a82e9b3e9b97a841440e3
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
ls -la
drwx------ 2 root root 4096 Jul 15 19:17 10a37b5f009e9c7272c26e6ca7483766
drwx------ 2 root root 4096 Jul 15 19:17 a30a82b6c95115845eb64d71dc4edb11
drwx------ 2 root root 4096 Jul 15 19:17 f74a9bad0648afe4f8e9395762eeec44
and that's it, I can't find acme-v1 or acme-staging-v1. Still digging tho...
1 Like
At one point we were using a synced ssl cert between 3 servers...
I just checked the server where the main ssl synced cert lived, and sure enough /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/f74a9bad0648afe4f8e9395762eeec44 exists!
Here are the contents of the letsencrypt accounts dir on the other server:
/etc/letsencrypt/accounts
drwx------ 3 cpuser cpuser 4096 Aug 4 18:42 acme-staging-v02.api.letsencrypt.org/
drwxr-xr-x 3 root root 4096 Sep 11 22:34 acme-v01.api.letsencrypt.org/
drwx------ 3 cpuser cpuser 4096 Aug 4 18:42 acme-v02.api.letsencrypt.org/
/root/certbot/certbot-auto unregister --account f74a9bad0648afe4f8e9395762eeec44
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Are you sure you would like to irrevocably deactivate your account?
(D)eactivate/(A)bort: D
IMPORTANT NOTES:
- Account deactivated.
1 Like
Did the folder vaporize after the unregister? I'm still wondering from where the current server is getting its reference though. I don't see symlinks in any of your listings.
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/ still exists but nothing in /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory
Would it help to delete /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org?
1 Like
Please do. This could just be a fallback in the logic.
I found a diatribe relating somewhat to this issue dating back a couple of years between the certbot developers.
While I believe you and I can imminently resolve things here for your situation, I want an experienced eye to look this over later, so I'm going to ping a certbot developer. He likely isn't around right now though, so he'll get to it when he can.
This is a certbot v1 to v2 account carryover situation. I didn't want to create a GitHub thread for it yet as I'm not certain how to describe this succinctly and I may be missing some critical mass. For some reason using unregister is looking for a v2 account in a v1 folder, but the v1 directory is empty.
2 Likes
We'll call this a night for now. You should be able to use the command I gave you and select one of the newer accounts to get by until this is resolved. If none of them work, let us know.
Sounds good, thank you so much for all your help!!
2 Likes