Error: no ACME account was found or registered for email

[0xBYTESHIFT]

I have docker-compose which uses nginx-proxy, this companion, and some apache-based service.

But there's this issue:

~/cryptosetup: docker-compose -f nextcloud/nextcloud-ssl.yml up -d --force-recreate
~/cryptosetup: docker logs nextcloud-letsencrypt
Info: running letsencrypt-nginx-proxy-companion version v2.0.1
Info: Custom Diffie-Hellman group found, generation skipped.
Reloading nginx proxy (d39d1b5e30b753a5547304544803fbd5ffc12cc9fd1a2f50a7d6e680e7a6b151)...
2020/12/16 00:49:21 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2020/12/16 00:49:21 [notice] 52#52: signal process started
2020/12/16 00:49:21 Generated '/app/letsencrypt_service_data' from 4 containers
2020/12/16 00:49:21 Running '/app/signal_le_service'
2020/12/16 00:49:21 Watching docker events
2020/12/16 00:49:21 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
[Wed Dec 16 00:49:24 UTC 2020] Create account key ok.
[Wed Dec 16 00:49:24 UTC 2020] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Wed Dec 16 00:49:26 UTC 2020] Register account Error: {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}
grep: /etc/acme.sh/root@tortique.tech/ca/acme-v02.api.letsencrypt.org/account.json: No such file or directory
[Wed Dec 16 00:49:27 UTC 2020] The account url is empty, please run '--update-account' first to update the account info first,
[Wed Dec 16 00:49:27 UTC 2020] Then try again.
Error: no ACME account was found or registered for root@tortique.tech and https://acme-v02.api.letsencrypt.org/directory, certificate creation aborted.
Sleep for 3600s

What's wrong and how should I fix it?

[buchdag]

You've hit Let's Encrypt rate limits :

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers. Exceeding these limits is reported with the error message too many registrations for this IP or too many registrations for this IP range.

There is nothing you can do beside waiting:

If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires.

[0xBYTESHIFT]

I waited and run docker-compose again recently, the result is slightly different:

root@tortique:~/cryptosetup# docker logs -f nextcloud-letsencrypt
Info: running letsencrypt-nginx-proxy-companion version v2.0.1
Info: Custom Diffie-Hellman group found, generation skipped.
Reloading nginx proxy (87b8b3a2ac67a17de71af302c016a608c63fc671a7cf0d8bae70057db219ef98)...
2020/12/16 14:03:52 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2020/12/16 14:03:52 [notice] 47#47: signal process started
2020/12/16 14:03:52 Generated '/app/letsencrypt_service_data' from 4 containers
2020/12/16 14:03:52 Running '/app/signal_le_service'
2020/12/16 14:03:52 Watching docker events
2020/12/16 14:03:53 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
[Wed Dec 16 14:03:55 UTC 2020] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Wed Dec 16 14:03:57 UTC 2020] Registered
[Wed Dec 16 14:03:58 UTC 2020] ACCOUNT_THUMBPRINT='En81rjJU_xlyBZSJZ8Wttl98PSvi0m5Vk_9FbFcPZrE'
Reloading nginx proxy (87b8b3a2ac67a17de71af302c016a608c63fc671a7cf0d8bae70057db219ef98)...
2020/12/16 14:03:58 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2020/12/16 14:03:58 [notice] 75#75: signal process started
Creating/renewal tortique.tech certificates... (tortique.tech)
[Wed Dec 16 14:04:01 UTC 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Dec 16 14:04:01 UTC 2020] Creating domain key
[Wed Dec 16 14:04:01 UTC 2020] The domain key is here: /etc/acme.sh/root@tortique.tech/tortique.tech/tortique.tech.key
[Wed Dec 16 14:04:01 UTC 2020] Single domain='tortique.tech'
[Wed Dec 16 14:04:01 UTC 2020] Getting domain auth token for each domain
[Wed Dec 16 14:04:04 UTC 2020] Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many certificates already issued for exact set of domains: tortique.tech: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}
[Wed Dec 16 14:04:04 UTC 2020] Please check log file for more details: /dev/null
Sleep for 3600s

But still, no SSL. if it already has keys and ../acme.sh/ is not empty, why can't it resue it? Or I miss something?

[buchdag]

Please see https://letsencrypt.org/docs/rate-limits/ as suggested in the ACME error

[alecbcs]

@buchdag after upgrading to v2.0.0 I'm seeing this error after recreating the container 5 times. It seems as tho it is no longer using the persistent storage attached to the container. Before v2.0.0 I hadn't ever experienced this before when recreating the container as part of a docker compose using a persistently attached storage volume. Any ideas?

Edit: After reading through the release notes of the new release I'm seeing that the ACME config is stored in /etc/acme.sh/default which requires a new docker volume. It sucks that the new change destroys anyone's rate limit without adding that additional docker volume but I understand the reasons for keeping it separate.

[buchdag]

@alecbcs the issue regarding the switch to acme.sh was opened for more than a year with pretty much zero comments on the ACME accounts part.

I understand that people hitting rate limiting issues due to the non backward compatible changes made to ACME accounts handling will be frustrated, but there is only so much I can do with nobody commenting on future changes and with code contribution limited to only a few people.

If you have suggestions to make this change clearer in the docs, don't hesitate to open a PR.

[AnomalRoil]

I just had the same issue after doing a simple docker-compose pull update (previous one was maybe 10 days ago).

It seems that somehow it's not picking up my still perfectly valid certs in my persistent storage and instead tries to redo the registration or so.

Does this mean that every time I will do docker-compose up it will get fired for each container at LE and could cause this issue?

Edit: will try to add an acme volume linked to /etc/acme.sh.

[buchdag]

@AnomalRoil please see #510 and the docs : mounting a volume to /etc/acme.sh is now required.

[AnomalRoil]

Yeah, this docker pull "update" issue is breaking my setup issue was solved on my side by adding a volume to /etc/acme.sh.

Since this new v2 was just pushed recently to docker hub as the default version, you might want to update your Readme to include more details because the current warning reads:

The v2.0.0 release of this project mark the switch of the ACME client used by the Docker image from simp.le to acme.sh. This switch result in some backward incompatible changes, so please read this issue for more details before updating your image. The last tagged version that uses simp_le is v1.13.1.

and it wasn't known to me that I had auto-magically jumped from v1 to v2 when I read it: as far as I knew I had always been running v2, but no and the switch was the cause of this issue on my side :)
I guess I oughta always tag my images to some major version to avoid having surprises like that.

[buchdag]

@AnomalRoil I updated the README as follow:

Required read if you use the latest version : the recent v2.0.0 release of this project mark the switch of the ACME client used by the Docker image from simp.le to acme.sh. This switch result in some backward incompatible changes, so please read this issue and the updated docs for more details before updating your image. The single most important change is that the container now requires a volume mounted to /etc/acme.sh in order to persist ACME account keys and SSL certificates. The last tagged version that uses simp_le is v1.13.1.

Let me know if you think this is still unclear / could be enhanced.

Also yes, I would strongly advise against using the latest tag on projects that provide regular versioned tags, like this one.

[buchdag]

Inactive issue, closing.

[miigotu]

Just want to add what I did that caused this issue for me, and how I fixed it since google brought me here first.

In my docker-compose, I had written the environment variable line like this:
- DEFAULT_EMAIL=:miigotu@some_email.com"

which was interpreted and sent to acme as '"miigotu@some_email.com"' with the double quotes as part of the value of the variable rather than wrapping the value.

The fix was to change it to the way the documents tell us to do it:
- "DEFAULT_EMAIL=miigotu@some_email.com"