Lets Encrypt certbot unable to issue certificate, missing command line (Please choose an account)

Written by - 0 comments

Published on January 6th 2021 - Listed in LTS Security Linux


When trying to add a new Let’s Encrypt certificate, certbot failed with the following error message:

root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['linux.example.com@2018-07-09T07:25:33Z (c1e0)', 'tomcat.example.com@2016-11-19T03:03:53Z (132f)']

This has worked in the past, why would it not anymore? Let’s dig into the account structure of Let’s Encrypt. This can be found (by default) in /etc/letsencrypt/accounts/:

root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
lrwxrwxrwx 1 root root 64 Jan  1  2020 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory -> /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory

Here the current Let’s Encrypt API domain (acme-v02.api.letsencrypt.org) is used. And as you can see above, there is a symlink to the old API domain (acme-v01.api.letsencrypt.org). Yes, this server has been using Let’s Encrypt certificates for a couple of years already.

Following the white rabbit (the symlink), the directory folder contains two accounts:

root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 8
drwx------ 2 root root 4096 Nov 19  2016 132f0b56b6a5e4432e6aee8a9ae299ce
drwx------ 2 root root 4096 Jul  9  2018 c1e076cc0d1e36461dc8116833c14e31

Taking a closer look at the subfolder names, they match the choices shown in the certbot output from above (132f and c1e0). Somehow certbot got confused which account it should use to issue the new certificate.

This can be easily solved by removing one of the two accounts. In this situation the older account (132f) from 2016 is moved and only the account (c1e0) from 2018 is kept:

root@linux ~ # mv /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/132f0b56b6a5e4432e6aee8a9ae299ce/ /tmp/

root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/
total 4
drwx------ 2 root root 4096 Jul  9  2018 c1e076cc0d1e36461dc8116833c14e31

And finally certbot was able to issue the certificate:

root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.example.com
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/my.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/my.example.com/privkey.pem
   Your cert will expire on 2021-04-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.