Hi,
My customer uses a Mitel Micollab application with a let's encrypt automatical renewal certificate.
All is ok for the renewal of the certificate, the control panel makes the job perfectly.
It's time now to change the email contact. Even i change the email before to renew manually the certificate, the next automaical expiration renewal (arounfd 3months) is always sends to the initial email address.
I can login to a root shell on my machine.
Probably the panel uses ACMEV2 API to renew certificates.
The Mitel support said me there's no problem on the control panel, so maybe the problem is probably issued from Let's encrypt? (old email in a database linked to the customer datas?)
Have you got any idea?
Let's Encrypt uses the email that is related to the ACME Account used to get the cert.
Your Mitel ACME Client must change that email address. Do you have a link to their docs that describe how they do that? Because the docs I saw did not show an option for this.
You could delete the ACME Account and register a new one with a new email. But, then that only works for certs you get with that new account. But, I did not see in the Mitel docs how you would do that either.
Thanks MikeMcQ for this explanation!
as you can see in the screenshot, the panel control is very simple. All you have to do is enter the email address used to create the certificate and this email address is used to notify you when the certificate is due to expire (i.e. when it is due to be renewed).
I've already changed this email address on my panel but it hasn't changed anything, we still receive notifications on the old email.
Do you think that Let's encrypt receives this new email address correctly?
Arnaud
No I do not. It takes specific, somewhat unusual, API requests for the ACME Client to tell the Let's Encrypt ACME Server to change the email for the ACME account. If the emails that LE sends are still going to the wrong place it is because it wasn't changed properly.
The ACME Account is probably setup once by Mitel when it requests the first cert. Maybe if you delete everything and start over with new email address that will work. But, I have never worked with Mitel so you should ask them if this would cause any problems.
Certbot is a popular ACME Client and it has an "update_account" command to allow email address changes, for example.
Dear MikeMcQ
Traces have been made on Mitel after the certificate has been revalidated. I can confirm the new email address is sent as a parameter to let's encrypt.
It therefore seems that the initial email address has been retained and linked to the end customer's FQDN.
Is it possible to delete everything for the client FQDN on the let's encrypt side?
I don't have another issue to resolve the request of my client..
No, the email address is associated with the ACME Account not a FQDN. That email is used for all certs obtained by that ACME Account.
Can you show the API flow you used to update the account? Because sending a new email on a cert request is not the way.
Your easiest way to change the email used is to register a new account with the new email address. Then use that new account for cert requests. All certs using that new account will then be alerted with the new email.
