用Certbot删除多余的Let’s Encrypt账户

     0评论

每次在某两台机器上运行certbot更新证书,都会列出两个账户并提示选择,比较费事。产生多个账户是意外,可能是某次获取/更新证书时不小心建立了新账户,或者certbot程序更新/以不同用户运行certbot命令等原因导致的。本文演示如何删除多余的Let's Encrypt账户。

提出问题

Let’s Encrypt账户跟我们在其它网络服务处注册的账户类似,都是存储在Let’s Encrypt的数据库中,并在本地保存了凭证。若是初次在一台机器上运行certbot,会提示建立新账户;通过certbot register命令也可以显式地注册一个账户。账户信息都保存在/etc/letsencrypt/account目录下,比如下面是参照本文操作完成后的目录情况:

# 因为操作前没有运行此命令,所以只能演示删除冗余账户后的情形: [email protected]:~$ sudo tree /etc/letsencrypt/accounts/ /etc/letsencrypt/accounts/ ├── acme-staging.api.letsencrypt.org ├── acme-staging-v02.api.letsencrypt.org ├── acme-v01.api.letsencrypt.org │   └── directory └── acme-v02.api.letsencrypt.org └── directory └── 65b14deb3d403c39e0ea13af1a54031f ├── meta.json ├── private_key.json └── regr.json 7 directories, 3 files

acme-staging.apiacme-staging-v02.apiacme-v01.apiacme-v02.api四种类型的账户,当前使用的acme-v02.api

下面演示从发现问题到解决问题的全过程。

重现问题

# 运行certbot提示选择账户 [email protected]:~$ sudo certbot [sudo] password for qiushan: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Please choose an account - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: [email protected]:02:49Z (65b1) 2: [email protected]:44:20Z (def8) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: vps123.top 2: www.vps123.top ... ... 省略 ... ... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): c Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.

上面显示了两个账户,不过很久以来都只用第一个,第二个是多余的。

探索方案

看是否有命令可删除多余的账户,查看certbot内置的与账户管理相关的命令:

[email protected]:~$ sudo certbot -h - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. The most common SUBCOMMANDS and flags are: obtain, install, and renew certificates: ... ... 省略 ... ... manage certificates: ... ... 省略 ... ... manage your account with Let's Encrypt: register Create a Let's Encrypt ACME account update_account Update a Let's Encrypt ACME account --agree-tos Agree to the ACME server's Subscriber Agreement -m EMAIL Email address for important account notifications ... ... 省略 ... ... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

只有注册、更新、同意服务条款、email设定几项,没有命令可以获取账户和本地证书的关系,也没有命令可以删除账户。

列出证书看看,看是否有需要的信息。

[email protected]:~$ sudo certbot certificates Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: ... ... 省略 ... ... Certificate Name: vps123.top-0001 Domains: *.vps123.top Expiry Date: 2019-06-22 10:43:59+00:00 (VALID: 31 days) Certificate Path: /etc/letsencrypt/live/vps123.top-0001/fullchain.pem Private Key Path: /etc/letsencrypt/live/vps123.top-0001/privkey.pem Certificate Name: vps123.top Domains: vps123.top Expiry Date: 2019-06-22 10:41:31+00:00 (VALID: 31 days) Certificate Path: /etc/letsencrypt/live/vps123.top/fullchain.pem Private Key Path: /etc/letsencrypt/live/vps123.top/privkey.pem ... ... 省略 ... ... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

命令输出了证书的域名、到期时间、路径,但没有显示其是由哪个账户获取的。

正确答案

Google发现官方论坛上有关于此问题解答,运行以下shell脚本可获取所需的信息:

#!/usr/bin/env bash for i in $(ls -d /etc/letsencrypt/accounts/*/);do accounttype=$(echo ${i%%/} | cut -d '/' -f5) echo "### Account Type: $accounttype ###" echo "" for x in $(ls -d /etc/letsencrypt/accounts/$accounttype/directory/*/);do accountid=$(echo ${x%%/} | cut -d '/' -f7) echo " Account ID: $accountid" certificates=$(grep -l "$accountid" /etc/letsencrypt/renewal/*.conf) for z in $certificates;do echo " Domains associated to renewal conf file $(echo "$z" | cut -d '/' -f5)" certfile=$(grep 'cert =' $z | cut -d ' ' -f3) domains=$(openssl x509 -in $certfile -noout -text | grep 'DNS:' | sed 's/^[ \t]*//;s/[ \t]*$//' | sed 's/DNS://g') echo " $domains" echo "" done done echo "" done

下面按照论坛帖子的指导操作:

# 编辑一个脚本写入上述内容 [email protected]:~$ vim mcert.sh # 添加可执行权限 [email protected]:~$ chmod a+x mcert.sh # 运行脚本,结果如下 [email protected]:~$ sudo ./mcert.sh ### Account Type: acme-staging.api.letsencrypt.org ### Account ID: b9372ad5c78e80a8da29b8a6f969719d ### Account Type: acme-v01.api.letsencrypt.org ### Account ID: d4f885ffb7cd24eefe43a2e212916f28 Domains associated to renewal conf file example.com.conf example.com ### Account Type: acme-v02.api.letsencrypt.org ### Account ID: 65b14deb3d403c39e0ea13af1a54031f ... ... 省略 ... ... Domains associated to renewal conf file vps123.top-0001.conf *.vps123.top Domains associated to renewal conf file vps123.top.conf vps123.top ... ... 省略 ... ... Account ID: d4f885ffb7cd24eefe43a2e212916f28 Domains associated to renewal conf file example.com.conf example.com

发现竟然有4个账户,最开始运行certbot命令时显示的是acme-v02这个类型下的两个,即65b14deb3d403c39e0ea13af1a54031f和d4f885ffb7cd24eefe43a2e212916f28,下面删除d4f885ffb7cd24eefe43a2e212916f28和acme-staging下的那个:

[email protected]:~$ sudo certbot unregister --account d4f885ffb7cd24eefe43a2e212916f28 Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Are you sure you would like to irrevocably deactivate your account? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (D)eactivate/(A)bort: d IMPORTANT NOTES: - Account deactivated. # 删除staging的要加 --staging 参数 [email protected]:~$ sudo certbot unregister --account b9372ad5c78e80a8da29b8a6f969719d --staging Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Are you sure you would like to irrevocably deactivate your account? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (D)eactivate/(A)bort: d IMPORTANT NOTES: - Account deactivated.

结果显示删除成功了,再次运行certbot,不再提示选择账户了:

[email protected]:~$ sudo certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: vps123.top 2: www.vps123.top ... ... 省略 ... ... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): c Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.

其它

在论坛发现一个彩蛋,就是在crt.sh这个站可以看到一个域名申请证书的全部记录,比如本站的:https://crt.sh/?q=vps123.top

参考资料

-- EOF --

本文最后修改于1年前 (2019-05-22)

差评不太行一般挺好非常不错 (No Ratings Yet)
读取中...
发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址