Troubleshooting: ACME clients

CertCentral uses the ACME protocol to automate your certificate request on dedicated hosts, such as web servers or point-of-service devices. DigiCert recommends using your preferred ACME Client. However, we will be using EFF’s Certbot as the reference client for all examples. Implementation for other clients may vary.

Scenario

CertCentral issues a certificate associated with the old ACME directory URL.

  1. The administrator uses ACME client with the old ACME Directory URL.
  2. The administrator creates a new ACME Directory URL to get a new certificate.
  3. CertCentral still issues a certificate using the old ACME Directory URL instead of the new URL.

Solution

To get a certificate associated with the new ACME Directory URL, create a new directory, and provide the config-dir parameter when requesting the client.

  1. Create a configuration directory for the new certificate.

    For example:

    C:\< ConfigDirectory >

  2. Run the command specifying the configuration directory, ACME Directory URL, HMAC key, and KID parameters.

bash
.\certbot certonly --register-unsafely-without-email --standalone -d <Domain> --config-dir=<UniqueConfigDirectoryPath> --server <ACMEURL> --eab-kid=<KIDValue> --eab-hmac-key=<HMACkeyValue>

Scenario

The revoked ACME Directory URL prevents you from getting a certificate with the new ACME Directory URL.

  1. The administrator uses ACME client with the old ACME Directory URL.
  2. The administrator creates a new ACME Directory URL to get a new certificate.
  3. The administrator revokes the old ACME Directory URL.
  4. CertCentral still issues a certificate using the old ACME Directory URL instead of the new URL.

Solution

To get a certificate associated with the new ACME Directory URL:

  1. Delete the configuration directory of the previously issued certificate configured with the revoked ACME directory URL.

  2. Create a configuration directory for the new certificate.

    For example:

    C:\< ConfigDirectory >

  3. Run the command specifying the configuration directory, ACME Directory URL, HMAC key, and KID parameters.

bash
.\certbot certonly --register-unsafely-without-email --standalone -d <Domain> --config-dir=<UniqueConfigDirectoryPath> --server <ACMEURL> --eab-kid=<KIDValue> --eab-hmac-key=<HMACkeyValue>

Scenario

Timeout error:

  • When the organization associated with the certificate request has not been validated.
  • When the domain associated with the certificate request has not been validated.
  • When the certificate request is not approved within 24 hours.
  • When the certificate approval time is greater than 90 seconds.

Solution

Before you place a certificate request:

  • Ensure that the organization has been validated.
  1. Go to Certificates > Organizations.

  2. On the Organizations page, check the validation status of the organization you have requested the certificate for.

If the organization has not been validated, review the request, and resubmit for validation. For more information, see Manage organizations.

  • Ensure that the domain has been validated.
  1. Go to Certificates > Domains.

  2. On the Domains page, check the validation status of the domain you have requested the certificate for.

If the domain has not been validated, review the request, and resubmit for validation. For more information, see Manage domains.

  • Ensure the certificate request is approved within 24 hours after the order is placed.
  1. Go to Certificates > Requests.

  2. On the Requests page, find and click the certificate order link to approve the request.

  • Ensure the automatic approval settings for the requested certificate enabled.
  1. Go to Settings > Preferences.

  2. On the Division Preferences page, under Advanced Settings, in the Approval Steps section, select Skip approval step: remove the approval step from your certificate order processes.