Skip to main content

Troubleshooting scenarios for third-party ACME clients

CertCentral is compatible with any automation client that supports the industry standard ACME protocol.

EFF’s Certbot is used as the reference client for all troubleshooting examples here. Implementation details for other clients may vary.

Scenario: CertCentral issues a certificate associated with the old ACME directory URL

Scenario:

  1. The administrator uses ACME client with the old ACME Directory URL.

  2. The administrator creates a new ACME Directory URL to get a new certificate.

  3. CertCentral still issues a certificate using the old ACME Directory URL instead of the new URL.

Solution:

To get a certificate associated with the new ACME Directory URL, create a new directory, and provide the config-dir parameter with the client.

  1. Create a configuration directory for the new certificate. For example: C:\<ConfigDirectory>

  2. Run the command specifying the configuration directory, ACME Directory URL, HMAC key, and KID parameters.

.\certbot certonly --register-unsafely-without-email --standalone -d <Domain> --config-dir=<UniqueConfigDirectoryPath> --server <ACMEURL> --eab-kid=<KIDValue> --eab-hmac-key=<HMACkeyValue>

Scenario: The revoked ACME Directory URL prevents you from getting a certificate with the new ACME Directory URL

Scenario:

  1. The administrator uses ACME client with the old ACME Directory URL.

  2. The administrator creates a new ACME Directory URL to get a new certificate.

  3. The administrator revokes the old ACME Directory URL.

  4. CertCentral still issues a certificate using the old ACME Directory URL instead of the new URL.

Solution:

To get a certificate associated with the new ACME Directory URL:

  1. Delete the configuration directory of the previously issued certificate configured with the revoked ACME directory URL.

  2. Create a configuration directory for the new certificate. For example: C:\<ConfigDirectory>

  3. Run the command specifying the configuration directory, ACME Directory URL, HMAC key, and KID parameters.

.\certbot certonly --register-unsafely-without-email --standalone -d <Domain> --config-dir=<UniqueConfigDirectoryPath> --server <ACMEURL> --eab-kid=<KIDValue> --eab-hmac-key=<HMACkeyValue>

Scenario: Timeout error

Timeout error:

  • When the organization associated with the certificate request has not been validated.

  • When the domain associated with the certificate request has not been validated.

  • When the certificate request is not approved within 24 hours.

  • When the certificate approval time is greater than 90 seconds.

Solution:

Before you place a certificate request:

  • Ensure that the organization has been validated.

  1. Go to Certificates > Organizations.

  2. On the Organizations page, check the validation status of the organization you have requested the certificate for.

Note

If the organization has not been validated, review the request, and resubmit for validation. For more information, see Manage organizations.

  • Ensure that the domain has been validated.

  1. Go to Certificates > Domains.

  2. On the Domains page, check the validation status of the domain you have requested the certificate for.

Note

If the domain has not been validated, review the request, and resubmit for validation. For more information, see Manage domains.

  • Ensure the certificate request is approved within 24 hours after the order is placed.

  1. Go to Certificates > Requests.

  2. On the Requests page, find and click the certificate order link to approve the request.

  • Ensure the automatic approval settings for the requested certificate enabled.

  1. Go to Settings > Preferences.

  2. On the Division Preferences page, under Advanced Settings, in the Approval Steps section, select Skip approval step: remove the approval step from your certificate order processes.