Workaround to using account ID to keep track of the domains

I have been asked by LE to

issue all of your certificates from a
single ACME account so we can just adjust by account ID and not have
to keep a list of domains up to date?

fyi (relevant reading)

My current-setup:
I am using the dehydrated client along with a hook to generate my certificates from a single server and do not not see an issue with the idea of using the same account ID.

Dehydrated does not seem to have the option of passing an account argument in a similar manner as certbot does as stated in the docs.

I am wondering if LE can aggregate the domains in a similar manner as with account ID, if I am passing an unchanged privatekey or is there another workaround.

Thank you

I may be miss-understanding, can’t you just use the same account key for all your domains ( which I thought dehydrated did by default if on the same server) - and then you would be using the same account ID for all.

Hey, thanks for the prompt response. This is exactly what I wish to clarify. Is using the same account key the same as passing the same account ID from LE point of view?

What exactly do you mean by “passing an account ID”? This doesn’t make sense. Every significant interaction with the API requires signing your whole request with your account key. There is no simple passing of IDs.

From your end, you simply use your account key. This may correspond to a certain ID in that sense on LE’s side, but clients shouldn’t really be concerned about what their actual ID is. It doesn’t matter for them.

Certbot has the argument --account ACCOUNT_ID Account ID to use (default: None) (docs).

When I read the following:

issue all of your certificates from a single ACME account so we can just adjust by account ID

I thought that they would like me to use the account ID number that I was given as an argument (i.e. add --account 12345) when requesting certificates. I am not using certbot, thus, my question is whether I can do similarly using dehydrated.

Looks like certbot is trying to be “clever” by creating a local directory containing your account ID, and creates a reverse mapping where you specify that account ID for it to work with. This seems to be purely a certbot thing. And I find it unnecessarily complex.

Technically, there is no use for the account ID whatsoever client-side. You need an account key that is used to sign requests. That’s it.


By default, most clients will create a single account and reuse it so long as you are always running on the same machine.

The advice in the integration guide about using a single account is mainly intended for hosting providers, who run many different servers. For them, if they ran a different client on each different server, they would wind up with a lot of different accounts, so we recommend that they do a little extra work to associate all their certs with a single account.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.