Update account.conf API keys?

fatalbyte · January 12, 2021, 3:33pm

Hi everyone! I'm relatively new to Let's Encrypt. I'm currently running acme.sh for my cert updates / renewals.

I recently migrated my DNS from GoDaddy to AWS Route53. I've confirmed the API keys work and able to manually issue a new cert using the acme.sh --issue --dns dns_aws -d mydomain.com command.

However, when I now run this command, my account.conf file will NOT update / change from the GD shared key and secret to the new AWS shared key and secret.

Do I need to uninstall and re-install acme.sh? Would seem silly for a simple task, but is there something I'm missing?

Thanks in advance!

sahsanu · January 12, 2021, 4:17pm

Hello @fatalbyte,

I suppose before issuing that command you exported the 2 variables, right?

export  AWS_ACCESS_KEY_ID=XXXXXXXXXX
export  AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXX

Note: Never share these keys.

acme.sh won't remove the GD entries in account.conf, it will only add the new ones for AWS. Are you saying you can't view two lines containing these variables in your account.conf file?

SAVED_AWS_ACCESS_KEY_ID='XXXXXXXXXX'
SAVED_AWS_SECRET_ACCESS_KEY='XXXXXXXXXXXXXXX'

No. there is no need to uninstall.

Cheers,
sahsanu

fatalbyte · January 12, 2021, 3:58pm

Hi @sahsanu,

Correct, the NEW AWS keys are not showing in the account.conf file after running that command.

i.e. SAVED_AWS_ACCESS_KEY_ID=XXXXXXXXXX
i.e. SAVED_AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXX

sahsanu · January 12, 2021, 4:04pm

So, if acme.sh doesn't know what are your aws keys, how is it possible you got a certificate using this command?

Could you please show the output of this command (replace mydomain.com with your real domain)?

grep -i Le_Webroot /root/.acme.sh/mydomain.com/mydomain.com.conf

fatalbyte · January 12, 2021, 4:08pm

I'm not sure either, that's why I'm confused.

Here is the output:
.com.conf
Le_Webroot='dns_aws'

sahsanu · January 12, 2021, 4:16pm

It is really strange, are you really sure you exported the two variables before issuing your certificate?

Anyway, you can edit account.conf file and add manually both keys using this format:

SAVED_AWS_ACCESS_KEY_ID='XXXXXXXXXX'
SAVED_AWS_SECRET_ACCESS_KEY='XXXXXXXXXXXXXXX'

fatalbyte · January 12, 2021, 4:46pm

Ok. I'll try that. I think it may have been because the secret key had a lot of \ in it, including at the beginning. But I've since timed my self out, so I can no longer test it. Looks like I'll have to wait (5) days (if I read it right) to test again.

"detail": "Error creating new order :: too many certificates already issued for exact set of domains"

sahsanu · January 12, 2021, 4:53pm

That could be the problem, just be sure to use single quotes when saving it on account.conf file.

If you issued all the certificates today yes, if not, then you could issue a new cert for exact set of domain after 7 days of issuing the first one of those 5 certificates.

fatalbyte · January 12, 2021, 5:56pm

Ok, thanks so much for all of your help! Really appreciate it!

I'll test again in a week and let you know my result.

Thanks!