Multiple Let's Encrypt accounts preventing certificate from renewing


#1

So I’ve upgraded to .40, and it’s time to provision new certificates in Let’s Encrypt, but I’m getting an error back:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Missing command line flag or config entry for this setting: Please choose an account Choices: [‘box.example.org@2018-07-31T21:18:50Z (58a9)’, ‘box.example.org@2019-01-13T17:02:03Z (17fb)’]

I’m guessing I want to keep the newer one, but when I try to remove the older one, I get the following error:

Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/box.example.org@2018-07-31T21:18:50Z does not exist

Any suggestions?


#2

Two seconds more of digging, was all it took. In case anyone else has the same issue after upgrade, you’ll need to remove the inactive account from
/home/user-data/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/directory

In my case, I had two directories there, 17fbXXXXXXXXXXXXXX and 58a9XXXXXXXXXXXXXX. I deleted the older one and then re-ran “Provision Certificate” from the TLS (SSL) Certificates page.


Let's Encrypt can't update certs after MIAB .40 update
#3

Can confirm this worked for me as my certificates were having the same issues.

Do you have any idea why this was causing issues?


#4

Let’s Encrypt creates a new account at install, and the backups have the previous installs account details in it, so LE isn’t sure which account should be used to create the certificates (since they use the same name for the account). In all honesty, I didn’t verify if it mattered which account you kept versus got rid of, but I made the assumption that since the previous cert (that was created during the .40 install) was created with the new account, it was probably better to keep that one than the one restored from backup.


#5

I’m not that in depth familiar with Lets Encrypt and did not know that it additionally created accounts when creating certs. Is this something that has worked before with upgrades, or no? This was my first time upgrading.


#6

The ACME client creates and handles everything about your “account” that is required when talking to the Let’s Encrypt servers that issue the certificate.

Normally with MIAB upgrades this isn’t an issue, because you’re running off the same original install (and LE “account”), just upgrading. With the jump from .30 to .40, you have to do a new install onto 18.04. During the install, LE creates a new account to handle the certificates, but your old account is also restored when you go through the backup restore process.

This should be a one time thing.