What are accounts? Do I need to backup them?


#1

So, my workflow of obtaining certs using nginx and certbot is following:

  1. issue certonly --webroot command, supplying my email (different for each domain) using -m flag
  2. enable ssl in nginx conf and reload it

Today I tried to obtain new cert for new domain using new email, but certbot asks to choose from existing accounts. The questions are

  1. what is ACME account and how my domain certificates depends on it? Why prooving of domain rights is not enough, why accounts exist?
  2. do I need to backup /accounts folder?
  3. What will be if I change my hosting provider and re-request the certificate for existing domain providing email used on first cert request for that domain on a clean OS without any /etc/letsencrypt/accounts? Will it create a new account with the same email ot it will deny to reobtain cert?
  4. certbot notifies me: “If you lose your account credentials, you can recover through
    e-mails sent to …email…”. But I did not receive any email, why?
  5. How to get multiple certs for multiple domains on one server, providing different emails -or- how to stop certbot from asking to choose existing account?

#2

Think of ACME accounts as your account on letsencrypt.org. Any domain you authorize or certificate you request is associated with a specific account. Accounts allow you to provide your contact details for expiration notices and other communication from Let’s Encrypt (like upcoming changes that are relevant to you, etc.). They also allow you to revoke certificates if you’ve lost access to a certificate’s private key (which could also be used for revocation).

Losing your account key (as in data loss, not losing it to an attacker :smile:) would not be the end of the world. You won’t be able to change the email address for that particular account, and you won’t be able to revoke any certificates if you also lose the private key paired with that certificate, but that’s about it.

There’s nothing stopping you from using the exact same email address and the exact same domains again. None of these things need to be unique in any way.

This is not really true anymore - account recovery via email was planned to be added at some point, but has been removed from the spec since.

If you want to use different emails, the relevant certbot verbs and flags would be certbot register, which allows you to register a new account (with a new email address), and the --account flag, which lets you specify which of your existing accounts you want to use to request a certificate (in other words, you’d add --account ACCOUNT_ID to the command you use to get a certificate, where ACCOUNT_ID is the name of the subdirectory in /accounts/{server}/ for that particular account).


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.