How to Update Let’s Encrypt Admin Email for Certificate Recovery and Account Management


18 views

When you first set up Let's Encrypt through tools like Certbot, the system creates an account key pair and associates it with your email address. This becomes critical for:

// Account creation command example
certbot register --email oldadmin@company.com --agree-tos

To properly change the admin email while maintaining certificate validity:

# 1. First create a new account with the desired email
certbot register --email newadmin@company.com --agree-tos

# 2. Find your account ID (from old email)
certbot show_account

# 3. Update the email association
certbot update_account --email newadmin@company.com

If you manage multiple domains, use the --cert-name flag:

certbot update_account --email newadmin@company.com --cert-name example.com

The email change affects:

  • Certificate expiration notifications
  • Account recovery options
  • Subscriber agreement updates

After changing the email, verify the update:

certbot show_account
# Should display the new email in output

When using Let's Encrypt for TLS certificates, the admin email serves two critical purposes:

  • Domain ownership validation (especially for wildcard certificates)
  • Certificate recovery notifications (expiry warnings, revocation alerts)

From your description, we're dealing with:

Old Email: former.employee@personal.com
New Email: admin@yourcompany.com
Certificate Authority: Let's Encrypt (ACME v2)

Method 1: Via Certbot Renewal

The most straightforward approach when using certbot:

sudo certbot update_account --email newadmin@yourdomain.com
sudo certbot renew --force-renewal

This will:

  1. Update the ACME account registration
  2. Force renewal of all certificates
  3. Update email in subsequent renewal notices

Method 2: Manual ACME Account Update

For non-certbot clients using ACME directly:

# Using ACME.sh example
acme.sh --update-account --accountemail newadmin@yourdomain.com

Method 3: Complete Account Re-creation

Nuclear option if you suspect compromised credentials:

# First backup existing certificates
sudo cp -r /etc/letsencrypt/ letsencrypt_backup

# Then create new account
sudo certbot register --email newadmin@yourdomain.com --agree-tos
  • DNS Records: Ensure you maintain control over domain DNS
  • API Keys: Rotate any stored ACME keys if changing accounts
  • Certificate Transparency: Old certificates will still show in logs

After updating:

sudo certbot show_account
# Should display:
# Email: newadmin@yourdomain.com

For infrastructure-as-code setups:

# Ansible playbook snippet
- name: Update Let's Encrypt email
  command: /usr/bin/certbot update_account --email {{ new_le_email }} --noninteractive
  become: yes