Roots Discourse

"Unable to update account :: too many contacts provided:"

With latest Trellis I have a new issue with Let’s Encrypt:

Unable to update account :: too many contacts provided: 21 > 10'

21 contacts with only 10 contacts allowed, that’s a very large discrepancy.

What does this mean, “too many contacts”? Isn’t only one contact used, the one of the webmaster?

Error while generating certificate for <redacted>
Traceback (most recent call last):
  File "/usr/local/letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/local/letsencrypt/acme_tiny.py", line 115, in get_crt
    account, _, _ = _send_signed_request(acct_headers['Location'], {"contact": contact}, "Error updating contact details")
  File "/usr/local/letsencrypt/acme_tiny.py", line 60, in _send_signed_request
    return _do_request(url, data=data.encode('utf8'), err_msg=err_msg, depth=depth)
  File "/usr/local/letsencrypt/acme_tiny.py", line 46, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error updating contact details:
Url: https://acme-v02.api.letsencrypt.org/acme/acct/<redacted>
Data: 
Response Code: 400
Response: {u'status': 400, u'type': u'urn:ietf:params:acme:error:malformed', u'detail': u'Unable to update account :: too many contacts provided: 31 > 10'}

Let’s Encrypt Boulder server validation code that throws this error:

Does Trellis/acme-tiny create an account per domain, reaching the Let’s Encrypt account creation rate limits?

Related:

So in the Trellis config the variable for Let’s Encrypt contact email was set using quotes, as literal:
letsencrypt_contact_emails: "webmaster@example.com"
This resulted in an incorrect interpolation/renew_certs.py script file generation by the ansible playbook, each lettering being a mailto email address:

'--contact mailto:w mailto:e mailto:b mailto:m mailto:a mailto:s mailto:t mailto:e mailto:r mailto:@ mailto:e mailto:x [...]

The variable has to be a list:

letsencrypt_contact_emails:
  - webmaster@example.com

This can be overlooked, so Trellis should check/sanitize the variable to prevent these kinds of issues.

1 Like