I’ve noticed that if I delete folders from
/etc/letsencrypt/accounts and generate a new certificate,
certbot will create a new account and successfully validate the domain without any issues.
So, why is it recommended to keep that folder backed up if I can create accounts every time?
One situation where you would want to keep the same ACME account is when you have a rate limit exemption against your account, but this doesn’t affect most users.
But otherwise, it’s just polite to keep the same account. If everybody kept creating new accounts, Let’s Encrypt’s database would get unhappy .
One reason for that advice is that it’s simpler to back up all of
/etc/letsencrypt/ than to back up 3 different subdirectories.
Also, although it’s not really technically necessary, the renewal configuration files in
/etc/letsencrypt/renewal/ do include the associated account ID. If you have any existing certificates, I would expect that “
certbot renew” would start to fail if you zapped
/etc/letsencrypt/accounts/. It would be easy for you to manually fix, but I don’t think Certbot would automatically do it.
Also also, there is an account creation rate limit. It’s very high, but there’s no need to take chances.
I agree with all of the reasons in @_az’s and @mnordhoff’s answers. Three others:
- You can use an account credential to revoke a certificate (even without the certificate’s associated private key)
- You can use an account credential to update the contact e-mail address at which Let’s Encrypt will send you expiry notices and warnings if you’re using some kind of technology for which support is being discontinued
- When we first wrote the advice in Certbot about backups, some things about Let’s Encrypt validation methods and rate limits were still undefined, and so it appeared possible that ACME accounts would play a larger role in the overall system in several ways than they do today
It’s true that the account information is one of the least harmful things that you could lose access to, at least if your account doesn’t have an associated rate limit exemption, as @_az mentioned.
Thank you so much for your help.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.