When trying to add a new Let's Encrypt TLS certificate, certbot failed with the following error message:
root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['linux.example.com@2018-07-09T07:25:33Z (c1e0)', 'tomcat.example.com@2016-11-19T03:03:53Z (132f)']
This has worked in the past, why would it not anymore? Let's dig into the account structure of Let's Encrypt. This can be found (by default) in /etc/letsencrypt/accounts/:
root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
lrwxrwxrwx 1 root root 64 Jan 1 2020 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory -> /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory
Here the current Let's Encrypt API domain (acme-v02.api.letsencrypt.org) is used. And as you can see above, there is a symlink to the old API domain (acme-v01.api.letsencrypt.org). Yes, this server has been using Let's Encrypt certificates for a couple of years already.
Following the white rabbit (the symlink), the directory folder contains two accounts:
root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 8
drwx------ 2 root root 4096 Nov 19 2016 132f0b56b6a5e4432e6aee8a9ae299ce
drwx------ 2 root root 4096 Jul 9 2018 c1e076cc0d1e36461dc8116833c14e31
Taking a closer look at the subfolder names, they match the choices shown in the certbot output from above (132f and c1e0). Somehow certbot got confused which account it should use to issue the new certificate.
This can be easily solved by removing one of the two accounts. In this situation the older account (132f) from 2016 is moved and only the account (c1e0) from 2018 is kept:
root@linux ~ # mv /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/132f0b56b6a5e4432e6aee8a9ae299ce/ /tmp/
root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 4
drwx------ 2 root root 4096 Jul 9 2018 c1e076cc0d1e36461dc8116833c14e31
And finally certbot was able to issue the certificate:
root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.example.com
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/my.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/my.example.com/privkey.pem
Your cert will expire on 2021-04-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le