Change certbot renewal configurations to another Let’s Encrypt-Account

Question

Using certbot 1.26.0.

Due to moving some certificate configurations to another server and creating new ones, I now have got two accounts. That was not intended and I think I don't need two accounts.

All renewal files (in /etc/letsencrypt/renewal) contain server = https://acme-v02.api.letsencrypt.org/directory and are all of the same kind (nginx configurations, where just the domain differs).

So, is it safe to call certbot unregister for one account and change the account id in the renewal files to the other id, so that all certificate configuration and renewals work with the single remaining account?

I'm asking since I don't want to destroy anything. And also I'd like to know what the account actually is. What is the account for and is there anything stored at the server? I just saw in the log file that POST https://acme-v02.api.letsencrypt.org/acme/acct/46643438 was done. I don't know what is happening here. So I could image changing the account id of a certificate could be problematic, if the letsencrypt server has anything stored about my certificates.

Answer 1

I had the same/similar question and was not able to find a good answer (I have multiple accounts across different servers). In the end I decided to rather simply change the email address for the accounts in question to all be the same, using certbot update_account -m you@example.com, thereby avoiding any potential problems that unregistering might cause.

Certbot tracks accounts to some extent at /etc/letsencrypt/accounts, in addition to the renewal config files, and the CLI doesn't offer a way to change the account that's in use, which is why I decided to play it safe. I don't know what it will do in your case if it finds an account in a renewal config file that it isn't already "aware" of, or what will happen if you simply change the account there.

As to what an account actually is: I'm not 100% sure, but I believe it only stores your email address and some basic details about your certificates in order to send expiry notifications. Also see the part of this answer that talks about accounts.

You could always just unregister the old account(s), ditch the old certificates/config and issue new ones if you really wanted to consolidate everything under one account, but there doesn't seem to be any real benefit, and not doing so might save a bunch of effort and potential headaches.