Solved : Use V1 account registration info with V2? Convert registration data: cpanel-letsencrypt to Certbot!


#1

Hello,

We have a rate limit increase for a V1 account. We wish to start running V2 for new domains, keeping our existing domains using V1.

Can I reuse the account registration data used for V1 with V2? If this can work, how do I place the private key into the registration files for V2?

OR

Do I need to request a rate limit increase for a new account?

We were using the provided package from cPanel cpanel-letsencrypt (V1).
Now we wish to use Certbot(V2).

I have checked the files that store the keys\registration data and they do not seem to have the same keys/values.
V1: located at /root/.cpanel/acme.acme-v01.api.letsencrypt.org.json
Contains :
{“key”:{“kty”:“RSA”,“n”:“xxxxxxx”,“e”:“AQAB”},“agreement”:“https://acme-v01.api.letsencrypt.org/terms",“contact”:[],“private_key_pem”:"-----BEGIN RSA PRIVATE KEY-----\xxxxx-----END RSA PRIVATE KEY-----”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/reg/xxxxx”}

V2: located at /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/xxxxxxxxxxxx/
Contains 3 files:

meta.json:
{“creation_host”: “server.myserver.com”, “creation_dt”: “timestamp”}

private_key.json:
{“n”: “xxxxxxxxxx”, “kty”: “RSA”, “e”: “AQAB”, “p”: “xxxxxxxxxxxxxx”, “qi”: “xxxxxxxxxxxx”, “dp”: “xxxxxxxxxxxxxxxxxxxx”, “d”: “xxxxxxxxxxxxxxxxx”, “dq”: “xxxxxxxxxx”}

regr.json:
{“uri”: “https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxxxxx”, “body”: {}}

I have been searching for information about this and did not find much.

Any information on this would be appreciated.

Thanks!

Stephan S.


#2

Importing your existing cpanel-letsencrypt account key to Certbot is likely to be challenging. I don’t think there is very good support for this and I suspect you’ll be left manually converting between the two serialization formats and trying to fiddle with Cerbot’s state behind its back.

I think the most straight forward path is for you to request a new rate limit increase for the new account, matching the old account (plus a sensible override for the new-orders rate limit specific to ACMEv2).

@jple - Do you agree with the above?


#3

It seems that Certbot is storing the key in JSON Web Key(JWK) format. Where cpanel-letsencrypt is storing partly in JWK and the private key in pem format.

Does anyone know how I can convert my private_key_pem to JWK?


#4

The conversion can be done by using a JOSE library in your choice of language or reading the JSON Web Algorithms standard (https://tools.ietf.org/html/rfc7518#section-6.3.2). Both ECDSA and RSA private key formats are described there.

You can use something like e.g. https://play.golang.org/p/KXUbA1uJesI (assuming cpanel-letsencrypt uses RSA account keys). Just don’t put your key in that playground.


#5

Thank you all for your help. It seems to be working now. Here is what I have done:

  1. Download and run jose.phar(on a linux box) to convert my private key that was taken from /root/.cpanel/acme.acme-v01.api.letsencrypt.org.json from key “private_key_pem”.
    https://web-token.spomky-labs.com/console
    curl -OL https://github.com/web-token/jwt-app/raw/gh-pages/jose.phar
    curl -OL https://github.com/web-token/jwt-app/raw/gh-pages/jose.phar.pubkey
    ./jose.phar key:load:key key.pem

  2. Take the output from the conversion and paste it into my /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/xxxxxxx/private_key.json

  3. Update my ACME id in /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/xxxxxxx/regr.json

  4. I tried to generate a certificate at this point. It worked, well partly. I found that it had just created a new registration due to the following error found in the log /var/log/letsencrypt/:
    certbot.errors.AccountStorageError: Account ids mismatch (expected: xxxxxxxxx-newdir-xxxxxxxx, found: xxxxxxx-olddir-xxxxxxxxxxxxxx

After some googling and stumbling upon this : Account ids mismatch . I then renamed the old directory name to the expected value in the log and deleted the new account directory that was created.

Now it seems to be working. I have certificates being generated and no new accounts being created.

I hope this helps someone.

If I have any issues I will come back here to post updates.

Thanks again!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.