starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 23:23:32 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Switching CAs #531

New Issue
Closed
opened 2025-12-29 01:26:50 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:26:50 +01:00
Owner
Copy Link

Originally created by @kousu on GitHub (Apr 20, 2021).

Dehydrated doesn't record which CA an account was registered with, and if you switch CAs it refuses to let you re-register:

# apt-get install dehydrated
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  dehydrated
0 upgraded, 1 newly installed, 0 to remove and 30 not upgraded.
Need to get 0 B/81.0 kB of archives.
After this operation, 193 kB of additional disk space will be used.
Selecting previously unselected package dehydrated.
(Reading database ... 107403 files and directories currently installed.)
Preparing to unpack .../dehydrated_0.6.5-1_all.deb ...
Unpacking dehydrated (0.6.5-1) ...
Setting up dehydrated (0.6.5-1) ...
Processing triggers for man-db (2.9.1-1) ...

# cat /etc/dehydrated/config 
#############################################################
# This is the main config file for dehydrated               #
#                                                           #
# This is the default configuration for the Debian package. #
# To see a more comprehensive example, see                  #
# /usr/share/doc/dehydrated/examples/config                 #
#                                                           #
# For details please read:                                  #
# /usr/share/doc/dehydrated/README.Debian                   #
#############################################################

CONFIG_D=/etc/dehydrated/conf.d
BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/domains.txt"

# echo 'CA="https://acme-staging-v02.api.letsencrypt.org/directory"' > /etc/dehydrated/conf.d/staging
# dehydrated --register --accept-terms
# INFO: Using main config file /etc/dehydrated/config

+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
+ Done!

# rm /etc/dehydrated/conf.d/staging
# dehydrated --register --accept-terms
# INFO: Using main config file /etc/dehydrated/config
+ Account already registered!

Would this be better handled by detecting the situation and warning the user that the old account needs to be manually deleted, or keeping a subdir of accounts, sorted by CA?

Originally created by @kousu on GitHub (Apr 20, 2021). Dehydrated doesn't record which CA an account was registered with, and if you switch CAs it refuses to let you re-register: ``` # apt-get install dehydrated Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: dehydrated 0 upgraded, 1 newly installed, 0 to remove and 30 not upgraded. Need to get 0 B/81.0 kB of archives. After this operation, 193 kB of additional disk space will be used. Selecting previously unselected package dehydrated. (Reading database ... 107403 files and directories currently installed.) Preparing to unpack .../dehydrated_0.6.5-1_all.deb ... Unpacking dehydrated (0.6.5-1) ... Setting up dehydrated (0.6.5-1) ... Processing triggers for man-db (2.9.1-1) ... # cat /etc/dehydrated/config ############################################################# # This is the main config file for dehydrated # # # # This is the default configuration for the Debian package. # # To see a more comprehensive example, see # # /usr/share/doc/dehydrated/examples/config # # # # For details please read: # # /usr/share/doc/dehydrated/README.Debian # ############################################################# CONFIG_D=/etc/dehydrated/conf.d BASEDIR=/var/lib/dehydrated WELLKNOWN="${BASEDIR}/acme-challenges" DOMAINS_TXT="/etc/dehydrated/domains.txt" # echo 'CA="https://acme-staging-v02.api.letsencrypt.org/directory"' > /etc/dehydrated/conf.d/staging # dehydrated --register --accept-terms # INFO: Using main config file /etc/dehydrated/config + Generating account key... + Registering account key with ACME server... + Fetching account ID... + Done! # rm /etc/dehydrated/conf.d/staging # dehydrated --register --accept-terms # INFO: Using main config file /etc/dehydrated/config + Account already registered! ``` Would this be better handled by detecting the situation and warning the user that the old account needs to be manually deleted, or keeping a subdir of accounts, sorted by CA?
adam closed this issue 2025-12-29 01:26:50 +01:00
adam commented 2025-12-29 01:26:50 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Apr 20, 2021):

Dehydrated absolutely does record which CA an account was registered with. Specifically, it hashes (using base64) the CA URL and places the account files under that directory.

I've seen this in action on my own systems during migration from LE's ACMEv1 endpoint to the ACMEv2 endpoint. The same account worked during that migration, which dehydrated handled by creating a new account directory as a symlink to the old account directory, so the same account files could be reused. This, however, is special logic added for a migration, and requires setting the OLDCA configuration value--if you're just changing the CA value, a new directory will be added for the new CA's account files.

I suspect your issue is caused by an incorrect config file. Specifically, if I read the dehydrated code from the 0.6.5 release, I can see that it's only checking for files in CONFIG_D which match the pattern *.sh. Your staging file doesn't match that pattern.

@txr13 commented on GitHub (Apr 20, 2021): Dehydrated absolutely **does** record which CA an account was registered with. Specifically, it hashes (using base64) the CA URL and places the account files under that directory. I've seen this in action on my own systems during migration from LE's ACMEv1 endpoint to the ACMEv2 endpoint. The same account worked during that migration, which dehydrated handled by creating a new account directory as a symlink to the old account directory, so the same account files could be reused. This, however, is special logic added for a migration, and requires setting the `OLDCA` configuration value--if you're just changing the `CA` value, a new directory will be added for the new CA's account files. I suspect your issue is caused by an incorrect config file. Specifically, if I read the dehydrated code from the 0.6.5 release, I can see that it's only checking for files in `CONFIG_D` which match the pattern `*.sh`. Your staging file doesn't match that pattern.
adam commented 2025-12-29 01:26:51 +01:00
Author
Owner
Copy Link

@kousu commented on GitHub (Apr 20, 2021):

Oh! You're totally right. Thank you for the clarification. I'm not that concerned about migrating, I'm happy to just throw out the old keys and use fresh ones. .sh was the missing piece. Oops!

# tree /etc/dehydrated
/etc/dehydrated
├── conf.d
├── config
└── domains.txt

1 directory, 2 files
# echo 'CA="https://acme-staging-v02.api.letsencrypt.org/directory"' > /etc/dehydrated/conf.d/staging.sh
# dehydrated --register --accept-terms
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/staging.sh
+ Generating account key...

+ Registering account key with ACME server...
+ Fetching account ID...
+ Done!
# rm /etc/dehydrated/conf.d/staging.sh
# dehydrated --register --accept-terms
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
+ Done!
# ls -l /var/lib/dehydrated/accounts/
total 8
drwx------ 2 root root 4096 Apr 20 12:50 aHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvZGlyZWN0b3J5Cg
drwx------ 2 root root 4096 Apr 20 12:50 aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo
@kousu commented on GitHub (Apr 20, 2021): Oh! You're totally right. Thank you for the clarification. I'm not that concerned about migrating, I'm happy to just throw out the old keys and use fresh ones. `.sh` was the missing piece. Oops! ``` # tree /etc/dehydrated /etc/dehydrated ├── conf.d ├── config └── domains.txt 1 directory, 2 files # echo 'CA="https://acme-staging-v02.api.letsencrypt.org/directory"' > /etc/dehydrated/conf.d/staging.sh # dehydrated --register --accept-terms # INFO: Using main config file /etc/dehydrated/config # INFO: Using additional config file /etc/dehydrated/conf.d/staging.sh + Generating account key... + Registering account key with ACME server... + Fetching account ID... + Done! # rm /etc/dehydrated/conf.d/staging.sh # dehydrated --register --accept-terms # INFO: Using main config file /etc/dehydrated/config + Generating account key... + Registering account key with ACME server... + Fetching account ID... + Done! # ls -l /var/lib/dehydrated/accounts/ total 8 drwx------ 2 root root 4096 Apr 20 12:50 aHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvZGlyZWN0b3J5Cg drwx------ 2 root root 4096 Apr 20 12:50 aHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#531
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?