ArticlesOpen Source SoftwareSecurityTLS

Certbot unable to issue certificate, instead asks for 'Please choose an account'

When trying to add a new Let's Encrypt TLS certificate, certbot failed with the following error message:

root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['linux.example.com@2018-07-09T07:25:33Z (c1e0)', 'tomcat.example.com@2016-11-19T03:03:53Z (132f)']

This has worked in the past, why would it not anymore? Let's dig into the account structure of Let's Encrypt. This can be found (by default) in /etc/letsencrypt/accounts/:

root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory 
lrwxrwxrwx 1 root root 64 Jan  1  2020 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory -> /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory

Here the current Let's Encrypt API domain (acme-v02.api.letsencrypt.org) is used. And as you can see above, there is a symlink to the old API domain (acme-v01.api.letsencrypt.org). Yes, this server has been using Let's Encrypt certificates for a couple of years already.

Following the white rabbit (the symlink), the directory folder contains two accounts:

root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 8
drwx------ 2 root root 4096 Nov 19  2016 132f0b56b6a5e4432e6aee8a9ae299ce
drwx------ 2 root root 4096 Jul  9  2018 c1e076cc0d1e36461dc8116833c14e31

Taking a closer look at the subfolder names, they match the choices shown in the certbot output from above (132f and c1e0). Somehow certbot got confused which account it should use to issue the new certificate.

This can be easily solved by removing one of the two accounts. In this situation the older account (132f) from 2016 is moved and only the account (c1e0) from 2018 is kept:

root@linux ~ # mv /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/132f0b56b6a5e4432e6aee8a9ae299ce/ /tmp/

root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 4
drwx------ 2 root root 4096 Jul  9  2018 c1e076cc0d1e36461dc8116833c14e31

And finally certbot was able to issue the certificate:

root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.example.com
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/my.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/my.example.com/privkey.pem
   Your cert will expire on 2021-04-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Claudio Kuenzler
Claudio has been writing way over 1000 articles on his own blog since 2008 already. He is fascinated by technology, especially Open Source Software. As a Senior Systems Engineer he has seen and solved a lot of problems - and writes about them.

You may also like

Leave a reply

Your email address will not be published. Required fields are marked *

More in:Articles