Update account.conf API keys?

Hi everyone! I'm relatively new to Let's Encrypt. I'm currently running acme.sh for my cert updates / renewals.

I recently migrated my DNS from GoDaddy to AWS Route53. I've confirmed the API keys work and able to manually issue a new cert using the acme.sh --issue --dns dns_aws -d mydomain.com command.

However, when I now run this command, my account.conf file will NOT update / change from the GD shared key and secret to the new AWS shared key and secret.

Do I need to uninstall and re-install acme.sh? Would seem silly for a simple task, but is there something I'm missing?

Thanks in advance!

Hello @fatalbyte,

I suppose before issuing that command you exported the 2 variables, right?

export  AWS_ACCESS_KEY_ID=XXXXXXXXXX
export  AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXX

Note: Never share these keys.

acme.sh won't remove the GD entries in account.conf, it will only add the new ones for AWS. Are you saying you can't view two lines containing these variables in your account.conf file?

SAVED_AWS_ACCESS_KEY_ID='XXXXXXXXXX'
SAVED_AWS_SECRET_ACCESS_KEY='XXXXXXXXXXXXXXX'

No. there is no need to uninstall.

Cheers,
sahsanu

Hi @sahsanu,

Correct, the NEW AWS keys are not showing in the account.conf file after running that command.

i.e. SAVED_AWS_ACCESS_KEY_ID=XXXXXXXXXX
i.e. SAVED_AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXX

So, if acme.sh doesn't know what are your aws keys, how is it possible you got a certificate using this command?

Could you please show the output of this command (replace mydomain.com with your real domain)?

grep -i Le_Webroot /root/.acme.sh/mydomain.com/mydomain.com.conf

I'm not sure either, that's why I'm confused.

Here is the output:
.com.conf
Le_Webroot='dns_aws'

It is really strange, are you really sure you exported the two variables before issuing your certificate?

Anyway, you can edit account.conf file and add manually both keys using this format:

SAVED_AWS_ACCESS_KEY_ID='XXXXXXXXXX'
SAVED_AWS_SECRET_ACCESS_KEY='XXXXXXXXXXXXXXX'

Ok. I'll try that. I think it may have been because the secret key had a lot of \ in it, including at the beginning. But I've since timed my self out, so I can no longer test it. Looks like I'll have to wait (5) days (if I read it right) to test again.

"detail": "Error creating new order :: too many certificates already issued for exact set of domains"

That could be the problem, just be sure to use single quotes when saving it on account.conf file.

If you issued all the certificates today yes, if not, then you could issue a new cert for exact set of domain after 7 days of issuing the first one of those 5 certificates.

Ok, thanks so much for all of your help! Really appreciate it!

I'll test again in a week and let you know my result.

Thanks!

2 Likes