While trying to automate SSL certificate deployment for haproxy I had some trouble while doing test-runs (because for certbot –dry-run another account is being used). As I couldn’t find a direct way to list all accounts, here’s how to achieve that anyway (with some extra work).
By default certbot show_account lists my official API account:
linux # certbot show_account
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account details for server https://acme-v02.api.letsencrypt.org/directory:
Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/23456789
Account Thumbprint: 123456789012345678901234567890
Email contact: marcel@mydomain.deHowever when testing certificate renewal the challenge (based on the acme account fingerprint) fails:
linux # certbot renew --cert-name haproxy.mydomain.de --dry-run
<...>
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: eduvpn-node1.linux-ng.de
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge. Expected "SjBZqzI1XY8_oibVNvB07Zzlx3ETEXbe7WYsEKfEES8.098765432109876543210987654321" (got "SjBZqzI1XY8_oibVNvB07Zzlx3ETEXbe7WYsEKfEES8.123456789012345678901234567890")Taking a look into the log file /var/log/letsencrypt/letsencrypt.log showed, that in –dry-run mode a different letsencrypt URL (and therefore account and fingerprint) is used (mind the -staging- in the URL):
linux # grep ^Link /var/log/letsencrypt/letsencrypt.log
<...>
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"So how to we get the fingerprint for this account?
First of all we have a look at the certbot/letsencrypt config directory. There’s a subdirectory called accounts:
linux # ls -l /etc/letsencrypt/accounts/
total 0
drwx------ 1 root root 18 Sep 29 09:52 acme-staging-v02.api.letsencrypt.org
drwx------ 1 root root 18 Sep 21 08:22 acme-v02.api.letsencrypt.orgThis looks familiar, however there’s nothing noted about options for certbot to get the corresponding fingerprints. Some web search however revealed to option “–server” (with a specific URL format starting with “https://” and appending “/directory”):
linux # certbot show_account --server https://acme-staging-v02.api.letsencrypt.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not find an existing account for server https://acme-staging-v02.api.letsencrypt.org.
root@srv3:/mnt/tools/certbot# certbot show_account --server https://acme-staging-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account details for server https://acme-staging-v02.api.letsencrypt.org/directory:
Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/87654321
Account Thumbprint: 098765432109876543210987654321
Email contact: noneSo staging and production servers use different accounts with different fingerprints. In order to support both we need to make them available via haproxy.
Problem is however: are the queries of production and staging servers different in any way? Haproxy can only return one value, but needs to know which one is the correct one … still investigating …