Account recovery for client certificate generation

Help
1

My domain is: loop.com

I ran this command:

certbot certonly --dns-route53 -d jpm-payments.ingress.loop.com --email payments-engineering@loop.com --agree-tos --no-eff-email --key-type rsa --required-profile tlsclient

It produced this output:

account ID 3374229896 is not permitted to use certificate profile "tlsclient"

My hosting provider, if applicable, is: AWS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): cerbot 5.2.2

We use LetsEncrypt certificates to integrate with an external party. The regeneration process stages new certs by working from a transient tmp directory for work-dir, config-dir, logs-dir. Public and private keys are stashed as secrets in AWS before the the tmp directory is cleaned up entirely. AFAIK this means we have no way to recover the account that was previously used to generate certificates with the tlsclient profile.

Looking for confirmation or suggestions - is there any way to recover the account previously utilized to generate tlsclient profile certificates? We used the profile after October 25, but did not retain all accounts.

Or, is there an opportunity to permit new client certificate generation? Our integration partner is not flexible here and will not offer a private CA solution until later this year.

2

I think we'd need to see more about that "regeneration process" to be sure, but if by "public and private keys are stashed as secrets" you mean only the certificate keys are preserved, and not the account keys, then no you wouldn't be able to recover the account keys. Deleting your account keys each time and creating fresh ones for each certificate is pretty unusual, but it sounds like that might be your workflow for some reason?

I think your best bet would be to find some other CA that is trusted by your "integration partner" and still offers TLS client certificates.

3

see similar topic:

the drop off TLS Client Authentication was announced more than a year ago.

4

The feedback here is appreciated. Peter, you interpreted the process correctly. This is user error/bad set up on my part and I misunderstood what we would need to do to continue using the tlsclient profile before July 8th.

We will find a different CA for now. Understood the inevitable direction here. We are just boxed in with what our partner requires for the next 6 months.