How to Update Let’s Encrypt Admin Email for Certificate Recovery and Account Management


2 views

When you first set up Let's Encrypt through tools like Certbot, the system creates an account key pair and associates it with your email address. This becomes critical for:

// Account creation command example
certbot register --email oldadmin@company.com --agree-tos

To properly change the admin email while maintaining certificate validity:

# 1. First create a new account with the desired email
certbot register --email newadmin@company.com --agree-tos

# 2. Find your account ID (from old email)
certbot show_account

# 3. Update the email association
certbot update_account --email newadmin@company.com

If you manage multiple domains, use the --cert-name flag:

certbot update_account --email newadmin@company.com --cert-name example.com

The email change affects:

  • Certificate expiration notifications
  • Account recovery options
  • Subscriber agreement updates

After changing the email, verify the update:

certbot show_account
# Should display the new email in output

When using Let's Encrypt for TLS certificates, the admin email serves two critical purposes:

  • Domain ownership validation (especially for wildcard certificates)
  • Certificate recovery notifications (expiry warnings, revocation alerts)

From your description, we're dealing with:

Old Email: former.employee@personal.com
New Email: admin@yourcompany.com
Certificate Authority: Let's Encrypt (ACME v2)

Method 1: Via Certbot Renewal

The most straightforward approach when using certbot:

sudo certbot update_account --email newadmin@yourdomain.com
sudo certbot renew --force-renewal

This will:

  1. Update the ACME account registration
  2. Force renewal of all certificates
  3. Update email in subsequent renewal notices

Method 2: Manual ACME Account Update

For non-certbot clients using ACME directly:

# Using ACME.sh example
acme.sh --update-account --accountemail newadmin@yourdomain.com

Method 3: Complete Account Re-creation

Nuclear option if you suspect compromised credentials:

# First backup existing certificates
sudo cp -r /etc/letsencrypt/ letsencrypt_backup

# Then create new account
sudo certbot register --email newadmin@yourdomain.com --agree-tos
  • DNS Records: Ensure you maintain control over domain DNS
  • API Keys: Rotate any stored ACME keys if changing accounts
  • Certificate Transparency: Old certificates will still show in logs

After updating:

sudo certbot show_account
# Should display:
# Email: newadmin@yourdomain.com

For infrastructure-as-code setups:

# Ansible playbook snippet
- name: Update Let's Encrypt email
  command: /usr/bin/certbot update_account --email {{ new_le_email }} --noninteractive
  become: yes