Switching from dehydrated to certbot

pludikovsky · July 27, 2020, 12:09pm

I have used letsencrypt.sh / dehydrated for my servers so far, but would like to switch over to using certbot for my new server. Is there any known way to convert my account information and private keys in dehydrated to one compatible with certbot?

Just asking before I attempt to come up with an solution myself.

JuergenAuer · July 27, 2020, 12:55pm

Hi @pludikovsky

I wouldn't do that and it's not required.

Create a new account
if you create certificates, new keys are created.

So there is no need to transform the old account.

9peppe · July 27, 2020, 1:38pm

This is interesting: usually people start with certbot and then go to other clients, not the opposite.

Can you tell us why are you switching?

jvanasco · July 27, 2020, 5:42pm

As others said, you don't have to do that... you can just start new.

HOWEVER...

Certbot stores account information in this directory:

/etc/letsencrypt/accounts/{SERVER}/directory/{ACCOUNT_ID}

there are 3 files:

meta.json - info about creating the account
regr.json - info about registration
private_key.json - RSA key in JWK format

Most other clients store the RSA key in PEM format.

A few weeks ago, the certbot team accepted a PR from me to the josepy package for an example script that shows how to convert JWK to PEM (and vice-versa).

That file is here:

github.com

certbot/josepy/blob/master/examples/pem_conversion.py

from __future__ import print_function  # Python2 support

from cryptography.hazmat.primitives import serialization

import josepy


def jwk_to_pem(pkey_jwk):
    """
    LetsEncrypt uses RSA Private Keys as Account Keys.
    Certbot stores the Account Keys as a JWK (JSON Web Key) encoded string.
    Many non-certbot clients store the Account Keys using PEM encoding.

    Developers may need to utilize a Private Key in the PEM encoding for certain
    operations or to migrate existing LetsEncrypt accounts to a client.

    :param pkey_jwk: JSON Web Key(jwk) encoded RSA Private Key
    :type pkey_jwk: string

    :return: PEM encoded RSA Private Key

This file has been truncated. show original

cpu · July 28, 2020, 2:38pm

FWIW that's only one possible account key algorithm. It isn't universally true that Let's Encrypt account public keys are RSA, you can also register an ECDSA keypair for the account key.

jvanasco · July 28, 2020, 5:50pm

I knew that, and am trying to figure out why I wrote the incorrect text as I did. Thank you for pointing this out.

pludikovsky · August 10, 2020, 11:26am

I started with letsencrypt.sh (before it was renamed to dehydrated) because at that time

The certbot client required a nasty mix of Python, compiled C, and Perl glue
You had to mangle all that into a working shape because there were no ready to use packages for most stable distros, let alone BSDs

letsencrypt.sh only required bash, openssl, and a few GNU tools.

system · September 9, 2020, 11:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Migrate from dehydrated to certbot Help	12	1219	June 7, 2022
Dehydrated vs certbot Help	4	781	June 14, 2024
Workaround to using account ID to keep track of the domains Issuance Tech	7	2865	February 17, 2017
Moving a single certificate Help	1	513	June 20, 2019
Permissions best practices (dehydrated) Help	7	768	September 9, 2023

Switching from dehydrated to certbot

Related topics