Lets Encrypt certbot unable to issue certificate, missing command line (Please choose an account)

Written by - 2 comments

Published on - Listed in TLS SSL Security Linux


When trying to add a new Let’s Encrypt certificate, certbot failed with the following error message:

root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['linux.example.com@2018-07-09T07:25:33Z (c1e0)', 'tomcat.example.com@2016-11-19T03:03:53Z (132f)']

This has worked in the past, why would it not anymore? Let’s dig into the account structure of Let’s Encrypt. This can be found (by default) in /etc/letsencrypt/accounts/:

root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
lrwxrwxrwx 1 root root 64 Jan  1  2020 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory -> /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory

Here the current Let’s Encrypt API domain (acme-v02.api.letsencrypt.org) is used. And as you can see above, there is a symlink to the old API domain (acme-v01.api.letsencrypt.org). Yes, this server has been using Let’s Encrypt certificates for a couple of years already.

Following the white rabbit (the symlink), the directory folder contains two accounts:

root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 8
drwx------ 2 root root 4096 Nov 19  2016 132f0b56b6a5e4432e6aee8a9ae299ce
drwx------ 2 root root 4096 Jul  9  2018 c1e076cc0d1e36461dc8116833c14e31

Taking a closer look at the subfolder names, they match the choices shown in the certbot output from above (132f and c1e0). Somehow certbot got confused which account it should use to issue the new certificate.

This can be easily solved by removing one of the two accounts. In this situation the older account (132f) from 2016 is moved and only the account (c1e0) from 2018 is kept:

root@linux ~ # mv /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/132f0b56b6a5e4432e6aee8a9ae299ce/ /tmp/

root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 4
drwx------ 2 root root 4096 Jul  9  2018 c1e076cc0d1e36461dc8116833c14e31

And finally certbot was able to issue the certificate:

root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.example.com
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/my.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/my.example.com/privkey.pem
   Your cert will expire on 2021-04-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Add a comment

Show form to leave a comment

Comments (newest first)

Brandon from wrote on Oct 19th, 2023:

Fixed my issue, thank you!


Khalid KHan from Australia wrote on Dec 19th, 2022:

Thanks mate, this helped resolving my issue.


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder