Unable to renew certificate

lilysaxe_hotmail.com · August 12, 2025, 8:38am

When trying to renew my certificate with GenLeCertForNS.ps1 for use on my NetScaler I get the following errormessage:

INFO [REGISTRATION] Current registration is not equal to "@", currently empty! Setting new registration.
2025-08-12 09:42:19:1644 INFO [REGISTRATION] Account 220050633 set as default.
2025-08-12 09:42:19:3649 ERROR [REGISTRATION] User registration failed.
2025-08-12 09:42:19:4867 ERROR [INVOKE-REGISTERERROR] [1] User registration failed

I used this before and it always worked. Does anyone have an idea?

Kind regards,

Robin

petercooperjr · August 12, 2025, 11:19am

I'm not familiar with that script, but from searching around, it looks to be something based on Posh-ACME. I have some generic advice that may or may not help:

Can you make sure you are on the latest version of that script, and that it's using the latest version of Posh-ACME??
Can you run with -LogLevel Debug which I'm hoping will give more helpful information?
Is there any chance this has been broken for you since May? Around that time, Let's Encrypt's API servers changed to use an ECDSA certificate instead of an RSA one, and some Windows servers have been overly "hardened" and have disabled those ciphers. You can find more information in these threads, which are for a different Windows client but the fix would be the same if that's the problem.

Certify the Web Cannot create secure channel error

Fix: "Could not create SSL/TLS secure channel." when attempting a certificate order with Let's Encrypt (or "CA ACME Directory is not accessible") - Announcements - Certify The Web - Support Community

webprofusion · August 12, 2025, 12:56pm

The script GenLeCertForNS/GenLeCertForNS.ps1 at master · j81blog/GenLeCertForNS · GitHub
is expecting the account registration to return an email address, but Let's Encrypt don't do that any more, so you'll need to edit the script to allow the email address returned by the registration to be null/blank

github.com/j81blog/GenLeCertForNS

GenLeCertForNS.ps1

263050145


      
          Write-ToLogFile -I -C Registration -M "Try to retrieve the existing Registration."
          $PARegistrations = Posh-ACME\Get-PAAccount -List -Contact $CertRequest.EmailAddress -Refresh | Where-Object { ($_.status -eq "valid") -and ($_.KeyLength -eq $CertRequest.KeyLength) }
          if ($PARegistrations -is [system.array]) {
              $PARegistration = $PARegistrations | Sort-Object id | Select-Object -Last 1
              Write-ToLogFile -I -C Registration -M "Found multiple Accounts"
              $PARegistrations | ForEach-Object { Write-ToLogFile -D -C Registration -M "$($_ | ConvertTo-Json -WarningAction SilentlyContinue -Depth 5 -Compress)" }
          } else {
              $PARegistration = $PARegistrations
          }
          Write-DisplayText -ForeGroundColor Yellow -NoNewLine "*"
          if ($PARegistration.Contact -contains "mailto:$($CertRequest.EmailAddress)") {
              Write-ToLogFile -I -C Registration -M "Existing registration found, no changes necessary."
          } else {
              if ([String]::IsNullOrEmpty($($PARegistration.Contact))) {
                  Write-ToLogFile -I -C Registration -M "Current registration is not equal to `"$($CertRequest.EmailAddress)`", currently empty! Setting new registration."
              } else {
                  Write-ToLogFile -I -C Registration -M "Current registration `"$($PARegistration.Contact)`" is not equal to `"$($CertRequest.EmailAddress)`", setting new registration."
              }
              Write-DisplayText -ForeGroundColor Yellow -NoNewLine "*"
              $PARegistration = Posh-ACME\New-PAAccount -Contact $($CertRequest.EmailAddress) -KeyLength $CertRequest.KeyLength -AcceptTOS
          }

petercooperjr · August 12, 2025, 1:12pm

Good catch! It looks like that's listed in their issue tracker, though I don't see an expected release date or anything like that.

github.com/j81blog/GenLeCertForNS

Change on LE-API in January breaks email-less ACME account registration

opened 10:06AM - 06 Jun 25 UTC

kuechn

bug

Hi, I came across the following error starting two days ago: ERROR [REGISTRAT…ION] User registration failed. ERROR [INVOKE-REGISTERERROR] [1] User registration failed line 4068 #region Registration According to this article the mail address is no longer stored (for other reasons. but no good, IMHO): https://community.letsencrypt.org/t/did-you-change-the-response-of-new-account/238188 "Did you change the response of https://acme-v02.api.letsencrypt.org/acme/new-acct recently? Seems like it doesn't include contact anymore. Am I right? 1. Correct. LE doesn't store contact information anymore. (...) clients that haven't encountered email-less ACME account registrations before it could still have an impact if you use the registration result and expect a value." So I guess you would need to change this region in the script? Currently validations are not possible. Regards, Mario

lilysaxe_hotmail.com · August 12, 2025, 1:33pm

Thanks for your responses. I have found a new version of the script ( j81blog/GenLeCertForNS at dev) which does work. My certificate has been renewed!

system · September 11, 2025, 1:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Running Let's Encrypt: Error renewing certificates Help	3	2485	June 3, 2021
SSL Certificate renewal issue Help	4	1326	July 1, 2020
Certs expire in a week, I lost my "client" and win-acme reports "invalid anti-replay nonce". Need help! Help	7	1449	July 28, 2020
LE ACME-Exchange.ps1 Exchange 2016 Renewal issues Help	13	6575	August 16, 2017
Renewal fails while new certificate request works Help	10	6099	March 28, 2017

Unable to renew certificate

Related topics