Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
You have not provided much info. Someone else reported a similar problem recently. Does the below thread help your problem? If not, please provide more details about how your account got deactivated and the problems registering a new account with a new key.
2 Likes
Hi @MikeMcQ, The error is similar to what we are facing but there is no solution. Yes this seems to be related to email address, where do I check that information, how can I activate the account? We are not sure how the account got deactivated as this error is for one specific url cert renewal, others work fine for the same domain.
1 Like
A deactivated ACME account cannot be reactivated. Once deactivated, that specific key pair is permanently marked as inactive in Let's Encrypt's system. You need to register a new account.
The fix depends on which ACME client you are using. Since the error mentions Terraform (cme_registration.reg), you are likely using the ACME Terraform provider. The issue is that your Terraform state file still references the old deactivated account key.
Steps to fix:
- Remove the old registration from Terraform state so it stops trying to use the deactivated key:
terraform state rm acme_registration.reg
- Generate a new account private key. If your Terraform config uses a
tls_private_key resource for the ACME account, taint it to force regeneration:
terraform taint tls_private_key.acme_account_key
- Run
terraform apply again. It will create a new ACME account with a fresh key pair and register it with Let's Encrypt.
The reason only one domain is affected while others work: each certificate renewal uses a specific ACME account. If you have multiple account keys (one per Terraform workspace or module), only the one with the deactivated key fails. The others still have active accounts.
As for how it got deactivated: this can happen if someone (or automation) explicitly called the account deactivation endpoint, or if a previous Terraform destroy removed the registration resource which triggers deactivation via the ACME API.
2 Likes
This helped. Thanks all who took some time to reply.
2 Likes