No registration exists matching provided key

cblu2se5t · December 19, 2017, 9:00am

Hello,
I wanted to have ssl for my own server (Openbsd httpd, acme-client), but I’m getting the following error:
“no registration exists matching provided key”.
Could any one please let me know what the error means?
I checked docs for a while and tried several times but I can’t find much and still get the same error.
I would really appreciate any help.

bytecamp · December 19, 2017, 9:23am

This means that for the key you use with acme-tool, there is no corresponding account which has been setup via the ACME API before. Just try to create another account and use this instead.

cblu2se5t · December 19, 2017, 10:05am

Thank you for your prompt and to the point reply, indeed!
But I don’t seem to know how to create another account and usd this instead.
I only used the command “acme-client --vvAD example.com”, which the man page says that creates a new account. I just used the same command as the above every time I try. I seem to remember the output said “(something) exists; not creating”. Can I just delete the existing account? How can I do so?

bytecamp · December 19, 2017, 10:19am

I would indeed try to do this. But I don't know where this client saves its data.

cblu2se5t · December 19, 2017, 11:08am

Thank you bytecamp. I seem to have deleted the account and enter the command again, and I now get the error/line that I got at my first attemp:
"does not match current agreement URL"
Would you let me know anything about it?

cblu2se5t · December 19, 2017, 11:12am

I mean, about this error: “does not match current agreement URL”

mnordhoff · December 19, 2017, 11:18am

It sounds like the client is trying to use an old version of the subscriber agreement.

Most clients either automatically detect the latest subscriber agreement, or at least have been updated to hardcode the current one.

I'm not sure how acme-client works.

Check to see if you can upgrade it, or try passing "-a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf".

Edit:

github.com/kristapsdz/acme-client-portable

Action required: Let's Encrypt subscriber agreement URL Change

opened 08:53PM - 13 Nov 17 UTC

cpu

Hi there, Your project has a hardcoded URL reference to the [current](https:/…/letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf) Let's Encrypt subscriber agreement: https://github.com/kristapsdz/acme-client-portable/blob/e82c130dd942a74c50c1631042c1bc60fafe8bad/main.c#L35:L36 This URL is [**going to change November 15th**](https://community.letsencrypt.org/t/subscriber-agreement-update-november-15-2017/45607). If your project does not address the stale URL at this point subsequent new-registration/account requests may begin to fail. ACME clients do not need to hardcode a subscriber agreement URL and Let's Encrypt discourages this practice. You should learn the current agreement URL at runtime instead so that it is always current. One option is to reference the agreement URL from the `"meta"` key's `"terms-of-service"` element from the response to a `GET` request to the ACME server's `/directory` endpoint: ``` { <snip> "meta": { "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" }, <snip> } ``` A second option is to learn the current subscriber agreement URL at runtime as part of the `new-reg` flow: Client code can submit an initial `new-reg` request without an `agreement` value in the request payload. The account will be created and in the response will be a `Link` header with a `terms-of-service` relation pointing at the current agreement URL. Once this `Link` header has been seen the client should update the registration to agree to the terms by sending a payload with the `agreement` value set to the current agreement URL. Thanks!

Edit again:

For future reference, the first issue discusses current ways to automatically get the current subscriber agreement URL.

One of them is to download https://acme-v01.api.letsencrypt.org/directory -- and it's just JSON, so you can open and read it in a browser -- and use the terms-of-service element.

I don't know if the ACME v2 API will change things, though.

cpu · December 19, 2017, 1:22pm

ACMEv2's new-account requests only have to send a termsOfServiceAgreed: yes value, not the subscriber agreement URL they are agreeing to. I suspect this will make everyone's lives easier

cblu2se5t · December 20, 2017, 11:39am

Thank you indeed, bytecamp, mnordhoff, and cpu!
You guys really really helped me a lot. Also provided me with good information, I can’t express how much I appreciated your help.
I am looking into some other issue but seem to have solved the errors issue yesterday, shortly after reading those replies, by adjusting the lines regarding the URL in the configuration file. If I have other errors or so I’ll write again.

I’m a bit worried if such ‘unsuccessful’ attepts also count by the Rate Limits, in any way. Kindly clarify me, if any one can.

Thank you indeed again!

mnordhoff · December 20, 2017, 11:56am

It's fine. Let's Encrypt's rate limits are documented here:

The new-reg endpoint has a limit of 20 requests per second, and successful account creations have a limit, but as long as you're not DoSing the service, a reasonable number of unsuccessful registration attempts should be fine.

system · January 19, 2018, 11:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Account registration: Curl error 92 Can not find account id url Help	11	2243	March 3, 2022
Too many registrations on this IP Client dev	6	871	June 15, 2018
Account doesn't exist for renew certificate after server change Server	5	10913	September 7, 2017
Solution to ACMEv2 Errors since upgrade? Help	9	1551	April 25, 2020
Error: no account exists with provided key Help	5	1190	April 25, 2023

No registration exists matching provided key

Related topics