I'm trying to better understand the concept of an 'account' in the context of Let's Encrypt.
For some background, I'm using the non-CLI edition of the Certes API (link: GitHub - fszlin/certes: A client implementation for the Automated Certificate Management Environment (ACME) protocol). I'm authoring using VB.NET.
Using Certes, there are essentially two ways to start an ACME request: one by using an existing account and the other by creating a new one:
Dim accountKey = KeyFactory.FromPem(pemKey)
Dim acme = new AcmeContext(WellKnownServers.LetsEncryptStagingV2, accountKey)
Dim account = await acme.Account()
Dim acme = new AcmeContext(WellKnownServers.LetsEncryptStagingV2)
Dim account = await acme.NewAccount("email@example.com", true)
' Save the account key for later use
Dim pemKey = acme.AccountKey.ToPem()
To be clear, my question today is not about how to use Certes. I've got that covered. My question is about 'accounts' in Let's Encrypt. What are they?
Follow me for a moment. An apparent oversight in the Certes documentation is the absence of any discussion surrounding how to get the
pemKey in the first place for an existing account. For example, I've been using a different ACME client successfully for years (this is merely my first foray into doing it with my own code). I simply don't have that key. And I've always used the same email address.
Using Certes, I first thought to reference my existing account by using the PEM as exported from my website manually via my browser. I used the 'Existing' code from above. This resulted in errors, somewhat expected since that PEM is a public key only.
So, scratching my head about where to get that account-identifying private key for my first Certes run, I gave it a shot with the 'New' code. Much to my surprise, it worked. Even in production. I have a valid wildcard cert in my happy hands. And a private key for the new account.
But this is odd. I would have expected that request to fail, given that I've been using that same email address for all these years with that other ACME client.
Do the ACME servers not use email addresses as unique identifiers for accounts? If not, and since I apparently can create a new 'account' for each new renewal request, even using the same email address, then what is the purpose of an 'account' in the first place?
Inquiring minds want to know.