Certbot unable to issue certificate, instead asks for 'Please choose an account'
When trying to add a new Let's Encrypt TLS certificate, certbot failed with the following error message:
root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Missing command line flag or config entry for this setting: Please choose an account Choices: ['linux.example.com@2018-07-09T07:25:33Z (c1e0)', 'tomcat.example.com@2016-11-19T03:03:53Z (132f)']
This has worked in the past, why would it not anymore? Let's dig into the account structure of Let's Encrypt. This can be found (by default) in /etc/letsencrypt/accounts/:
root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory lrwxrwxrwx 1 root root 64 Jan 1 2020 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory -> /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory
Here the current Let's Encrypt API domain (acme-v02.api.letsencrypt.org) is used. And as you can see above, there is a symlink to the old API domain (acme-v01.api.letsencrypt.org). Yes, this server has been using Let's Encrypt certificates for a couple of years already.
Following the white rabbit (the symlink), the directory folder contains two accounts:
root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/ total 8 drwx------ 2 root root 4096 Nov 19 2016 132f0b56b6a5e4432e6aee8a9ae299ce drwx------ 2 root root 4096 Jul 9 2018 c1e076cc0d1e36461dc8116833c14e31
Taking a closer look at the subfolder names, they match the choices shown in the certbot output from above (132f and c1e0). Somehow certbot got confused which account it should use to issue the new certificate.
This can be easily solved by removing one of the two accounts. In this situation the older account (132f) from 2016 is moved and only the account (c1e0) from 2018 is kept:
root@linux ~ # mv /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/132f0b56b6a5e4432e6aee8a9ae299ce/ /tmp/ root@linux ~ # ls -la /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/ total 4 drwx------ 2 root root 4096 Jul 9 2018 c1e076cc0d1e36461dc8116833c14e31
And finally certbot was able to issue the certificate:
root@linux ~ # /usr/bin/certbot -n --webroot -w /var/www/letsencrypt/ certonly -d my.example.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for my.example.com Using the webroot path /var/www/letsencrypt for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/my.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/my.example.com/privkey.pem Your cert will expire on 2021-04-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le