Ergebnis 1 bis 4 von 4
  1. #1
    Erfahrener Benutzer
    Registriert seit
    09.07.2012
    Ort
    Spanien
    Beiträge
    300

    Reuse a Let's encrypt certificate between subscriptions / accounts.

    I created a ACME managed certificate for domain mail.example.com of User A but now I want to use it as mail server certificate. This is impossible because the admin user is not owning and therefore cannot see the certificate of user A. Obviously I want the certificate to work now and being updated automatically when it expires (the old one is expiring soon).

    What is the appropriate procedure to migrate this certificate to the admin account where I can then use it as mail server certificate? What happens when I delete the certificate? Can I then request the same domain again under the Admin account? Or will it be revoked / blocked until expiry?

    Please note that this is not only moving ACME certificate from one subscription to another but also from one LE ID to another. LC does not allow to re-use a LE ID between different subscriptions, which I experience as a great disadvantage.

    As company I manage admin, my clients under a reseller account and my hosting domains under a normal hosting account. In this set up I would need only one Let's Encrypt ID for all my certificates, but LC does not allow me and tells me the ID is already in use.

    I would like the Certificate management to be centered around the Let's Encrypt ID, not around the LC subscription. Now I have several different LE IDs in several contracts and they cannot be used between each other. The whole questions I ask here are a result of this.

  2. #2
    Erfahrener Benutzer
    Registriert seit
    09.07.2012
    Ort
    Spanien
    Beiträge
    300
    I think I must retract this question. I notice now you can create a certificate at admin level and then assign it to a reseller's end user, which apparently in this case I did. I changed the end user instance of this certificate from Start SSL to Let's Encrypt, but I should have done that on admin level. I tried now to do it on admin level and it seems to have "taken over" the certificate management although there could be a conflict there.

    First of this seems all very confusing and at end user level it should be clearer who in fact really owns the certificate. When admin made certificate then I thing the end user should not be able to touch it or when he does, it should break the dependency chain (remove it from admin).

    Secondly I think it should be clearer in the user interface what is really going on here. On the end user side I could not see that the certificate in fact was made on admin level and assigned to the end user (you can only see this on the admin side). This lead me to make the mistake.

    I cut and paste the certificates from end user to admin now and it was accepted and then enabled the ACME management on it. I don't know if Let's Encrypt will now accept that management was taken over by the new ID. If this is not possible without errors, LC should warn me or make it impossible to do so (instructing me how to do it right). I then disabled the ACME management at the end user side. I now wait and see what happens next renewal attempt, if it will error out because of ID change.

  3. #3
    Erfahrener Benutzer
    Registriert seit
    15.02.2016
    Beiträge
    320
    Does export and import ACME account help you? It might be possible to use one ID within different users.
    # Das Gras wächst nicht schneller wenn man daran zieht # Bitte keine inflationären Vollzitate #

  4. #4
    Erfahrener Benutzer
    Registriert seit
    07.04.2011
    Beiträge
    801
    Zitat Zitat von lebenszeit Beitrag anzeigen
    It might be possible to use one ID within different users.
    No, there's a unique constraint on Let's Encrypt Login Keys.

Lesezeichen

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •