用Certbot删除多余的Let’s Encrypt账户

每次在某两台机器上运行certbot更新证书，都会列出两个账户并提示选择，比较费事。产生多个账户是意外，可能是某次获取/更新证书时不小心建立了新账户，或者certbot程序更新/以不同用户运行certbot命令等原因导致的。本文演示如何删除多余的Let's Encrypt账户。

提出问题

Let’s Encrypt账户跟我们在其它网络服务处注册的账户类似，都是存储在Let’s Encrypt的数据库中，并在本地保存了凭证。若是初次在一台机器上运行certbot，会提示建立新账户；通过certbot register命令也可以显式地注册一个账户。账户信息都保存在/etc/letsencrypt/account目录下，比如下面是参照本文操作完成后的目录情况：

# 因为操作前没有运行此命令，所以只能演示删除冗余账户后的情形：
qiushan@topvps:~$ sudo tree /etc/letsencrypt/accounts/
/etc/letsencrypt/accounts/
├── acme-staging.api.letsencrypt.org
├── acme-staging-v02.api.letsencrypt.org
├── acme-v01.api.letsencrypt.org
│   └── directory
└── acme-v02.api.letsencrypt.org
    └── directory
        └── 65b14deb3d403c39e0ea13af1a54031f
            ├── meta.json
            ├── private_key.json
            └── regr.json

7 directories, 3 files

有acme-staging.api、acme-staging-v02.api、acme-v01.api、acme-v02.api四种类型的账户，当前使用的acme-v02.api。

下面演示从发现问题到解决问题的全过程。

重现问题

# 运行certbot提示选择账户
qiushan@topvps:~$ sudo certbot
[sudo] password for qiushan:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Please choose an account
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: topvps@2018-05-21T15:02:49Z (65b1)
2: localhost@2018-01-30T09:44:20Z (def8)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: vps123.top
2: www.vps123.top
... ... 省略 ... ...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): c
Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.

上面显示了两个账户，不过很久以来都只用第一个，第二个是多余的。

探索方案

看是否有命令可删除多余的账户，查看certbot内置的与账户管理相关的命令：

qiushan@topvps:~$ sudo certbot -h

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
... ... 省略 ... ...
manage certificates:
... ... 省略 ... ...
manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
    update_account  Update a Let's Encrypt ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications
... ... 省略 ... ...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

只有注册、更新、同意服务条款、email设定几项，没有命令可以获取账户和本地证书的关系，也没有命令可以删除账户。

列出证书看看，看是否有需要的信息。

qiushan@topvps:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
... ... 省略 ... ...
  Certificate Name: vps123.top-0001
    Domains: *.vps123.top
    Expiry Date: 2019-06-22 10:43:59+00:00 (VALID: 31 days)
    Certificate Path: /etc/letsencrypt/live/vps123.top-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/vps123.top-0001/privkey.pem
  Certificate Name: vps123.top
    Domains: vps123.top
    Expiry Date: 2019-06-22 10:41:31+00:00 (VALID: 31 days)
    Certificate Path: /etc/letsencrypt/live/vps123.top/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/vps123.top/privkey.pem
... ... 省略 ... ...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

命令输出了证书的域名、到期时间、路径，但没有显示其是由哪个账户获取的。

正确答案

Google发现官方论坛上有关于此问题解答，运行以下shell脚本可获取所需的信息：

#!/usr/bin/env bash
for i in $(ls -d /etc/letsencrypt/accounts/*/);do
    accounttype=$(echo ${i%%/} | cut -d '/' -f5)
    echo "### Account Type: $accounttype ###"
    echo ""
    for x in $(ls -d /etc/letsencrypt/accounts/$accounttype/directory/*/);do
        accountid=$(echo ${x%%/} | cut -d '/' -f7)
        echo "  Account ID: $accountid"
        certificates=$(grep -l "$accountid" /etc/letsencrypt/renewal/*.conf)
            for z in $certificates;do
                echo "    Domains associated to renewal conf file $(echo "$z" | cut -d '/' -f5)"
                certfile=$(grep 'cert =' $z | cut -d ' ' -f3)
                domains=$(openssl x509 -in $certfile -noout -text | grep 'DNS:' | sed 's/^[ \t]*//;s/[ \t]*$//' | sed 's/DNS://g')
                echo "    $domains"
                echo ""
            done
    done
    echo ""
done

下面按照论坛帖子的指导操作：

# 编辑一个脚本写入上述内容
qiushan@topvps:~$ vim mcert.sh
# 添加可执行权限
qiushan@topvps:~$ chmod a+x mcert.sh
# 运行脚本，结果如下
qiushan@topvps:~$ sudo ./mcert.sh
### Account Type: acme-staging.api.letsencrypt.org ###

  Account ID: b9372ad5c78e80a8da29b8a6f969719d

### Account Type: acme-v01.api.letsencrypt.org ###

  Account ID: d4f885ffb7cd24eefe43a2e212916f28
    Domains associated to renewal conf file example.com.conf
    example.com


### Account Type: acme-v02.api.letsencrypt.org ###

  Account ID: 65b14deb3d403c39e0ea13af1a54031f
  ... ... 省略 ... ...
    Domains associated to renewal conf file vps123.top-0001.conf
    *.vps123.top

    Domains associated to renewal conf file vps123.top.conf
    vps123.top
  ... ... 省略 ... ...
  Account ID: d4f885ffb7cd24eefe43a2e212916f28
    Domains associated to renewal conf file example.com.conf
    example.com

发现竟然有4个账户，最开始运行certbot命令时显示的是acme-v02这个类型下的两个，即65b14deb3d403c39e0ea13af1a54031f和d4f885ffb7cd24eefe43a2e212916f28，下面删除d4f885ffb7cd24eefe43a2e212916f28和acme-staging下的那个：

qiushan@topvps:~$ sudo certbot unregister --account d4f885ffb7cd24eefe43a2e212916f28
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Are you sure you would like to irrevocably deactivate your account?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(D)eactivate/(A)bort: d

IMPORTANT NOTES:
 - Account deactivated.
# 删除staging的要加 --staging 参数
qiushan@topvps:~$ sudo certbot unregister --account b9372ad5c78e80a8da29b8a6f969719d --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Are you sure you would like to irrevocably deactivate your account?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(D)eactivate/(A)bort: d

IMPORTANT NOTES:
 - Account deactivated.

结果显示删除成功了，再次运行certbot，不再提示选择账户了：

qiushan@topvps:~$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: vps123.top
2: www.vps123.top
... ... 省略 ... ...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): c
Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.

其它

在论坛发现一个彩蛋，就是在crt.sh这个站可以看到一个域名申请证书的全部记录，比如本站的：https://crt.sh/?q=vps123.top

参考资料

• Delete duplicate account on server?
• Unregister account

-- EOF --

本文最后修改于5年前 (2019-05-22)

(No Ratings Yet)

读取中...