Skip to main content

Troubleshooting scenarios for third-party ACME clients

CertCentral is compatible with any automation client that supports the industry standard ACME protocol.

EFF’s Certbot is used as the reference client for all troubleshooting examples here. Implementation details for other clients may vary.

Scenario: CertCentral issues a certificate associated with the old ACME directory URL

Scenario:

  1. The administrator uses ACME client with the old ACME Directory URL.

  2. The administrator creates a new ACME Directory URL to get a new certificate.

  3. CertCentral still issues a certificate using the old ACME Directory URL instead of the new URL.

Solution:

To get a certificate associated with the new ACME Directory URL, create a new directory, and provide the config-dir parameter with the client.

  1. Create a configuration directory for the new certificate. For example: C:\<ConfigDirectory>

  2. Run the command specifying the configuration directory, ACME Directory URL, HMAC key, and KID parameters.

.\certbot certonly --register-unsafely-without-email --standalone -d <Domain> --config-dir=<UniqueConfigDirectoryPath> --server <ACMEURL> --eab-kid=<KIDValue> --eab-hmac-key=<HMACkeyValue>

Scenario: Revoked ACME directory URL blocks certificate issuance with the new URL

Scenario:

  1. The administrator uses ACME client with the old ACME Directory URL.

  2. The administrator creates a new ACME Directory URL to get a new certificate.

  3. The administrator revokes the old ACME Directory URL.

  4. CertCentral still issues a certificate using the old ACME Directory URL instead of the new URL.

Solution:

To get a certificate associated with the new ACME Directory URL:

  1. Delete the configuration directory of the previously issued certificate configured with the revoked ACME directory URL.

  2. Create a configuration directory for the new certificate. For example: C:\<ConfigDirectory>

  3. Run the command specifying the configuration directory, ACME Directory URL, HMAC key, and KID parameters.

.\certbot certonly --register-unsafely-without-email --standalone -d <Domain> --config-dir=<UniqueConfigDirectoryPath> --server <ACMEURL> --eab-kid=<KIDValue> --eab-hmac-key=<HMACkeyValue>

Scenario: Timeout error

Timeout error:

  • When the organization associated with the certificate request is not validated.

  • When the domain associated with the certificate request is not validated.

  • When the certificate request is not approved within 24 hours.

  • When the certificate approval time is greater than 90 seconds.

Solution:

Before placing a certificate request:

  • Ensure that the organization is validated.

  1. In the CertCentral main menu, go to Certificates > Organizations.

  2. On the Organizations page, check the validation status of the organization associated with the certificate request.

Anmerkung

If the organization is not validated, review the request, and resubmit for validation. For more information, see Manage organizations.

  • Confirm the domain is validated.

  1. In the CertCentral main menu, go to Certificates > Domains.

  2. On the Domains page, check the validation status of the domain you have requested the certificate for.

Anmerkung

If the domain is not validated, review the request, and resubmit for validation. For more information, see Manage domains.

  • Ensure the certificate request is approved within 24 hours after the order is placed.

  1. In the CertCentral main menu, go to Certificates > Requests.

  2. On the Requests page, find and click the certificate order link to approve the request.

  • Confirm the automatic approval settings for the requested certificate are enabled.

  1. In the CertCentral main menu, go to Settings > Preferences.

  2. On the Division Preferences page, under Advanced Settings, in the Approval Steps section, select Skip approval step: remove the approval step from your certificate order processes.

In diesem Abschnitt: