Client authentication

Help
1

I'm working with an application team that is SUPER LATE fixing their app for client authentication EKU. We have used the client authentication EKU before but still we are now banned from requesting a new certificate. Are we completely screwed or is there some way to get OK to use tlsclient one more time to give them time to update their app? Or are we screwed?

Oh and the certificate expires tomorrow. >_<

My domain is: regionjh.se

I ran this command: certbot certonly --csr --manual --key-type rsa --rsa-key-size 2048 --preferred-challenges dns --preferred-profile tlsclient

It produced this output: Error creating new order :: account ID is not permitted to use certificate profile "tlsclient"

My web server is (include version): -

The operating system my web server runs on is (include version): -

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 5.3.0

2

If your account did not already have a certificate issued from the tlsclient profile before May 13th, it is not allowed to do so any longer. Please see Ending TLS Client Authentication Certificate Support in 2026 - Let's Encrypt for more information.

3

The strange thing is that I renewed a certificate with tlsclient just a few weeks ago.

Is there absolutely no way to do this in an emergency?

4

With the same account?

Everything within Let's Encrypt is automated, so no.

Also, you should already have been looking into proper client authentication alternatives way before. Let's Encrypt was never meant for this to begin with and the announcement to end support for this was made literally more than a year ago already.

5

I also do not think staff would provide an exception especially on such short notice. Today is also a national holiday in the US.

But, I do not see a cert that expires tomorrow. I see some for your teamsconn subdomain issued May 6 but those are valid thru Aug 4

I also see certs issued by Telia. Do they still issue with Client EKU?