Troubleshooting: ACME clients

CertCentral uses the ACME protocol to automate your certificate request on dedicated hosts, such as web servers or point-of-service devices. DigiCert recommends using your preferred ACME Client. However, we will be using EFF’s Certbot as the reference client for all examples. Implementation for other clients may vary.

Scenario

CertCentral issues certificate associated with the old ACME directory URL.

  1. Admin uses ACME client with the old ACME Directory URL.
  2. Admin creates a new ACME Directory URL to get a new certificate.
  3. CertCentral still issues a certificate using the old ACME Directory URL instead of the new URL.

Solution

To get a certificate associated with the new ACME Directory URL, create a new directory, and provide the config-dir parameter when requesting the client.

  1. Create a configuration directory for the new certificate.

    For example:

    C:\< ConfigDirectory >

  2. Run the command specifying the configuration directory, ACME Directory URL, HMAC key, and KID parameters.

bash 
.\certbot certonly --register-unsafely-without-email --standalone -d <Domain> --config-dir <"UniqueConfigDirectoryPath"> --server <ACMEURL> --eab-kid <KIDValue> --eab-hmac-key <HMACkeyValue>

Scenario

Revoked ACME Directory URL prevents getting a certificate with the new ACME Directory URL.

  1. Admin uses ACME client with the old ACME Directory URL.
  2. Admin creates a new ACME Directory URL to get a new certificate.
  3. Admin revokes the old ACME Directory URL.
  4. CertCentral still issues a certificate using the old ACME Directory URL instead of the new URL.

Solution

To get a certificate associated with the new ACME Directory URL:

  1. Delete the configuration directory of the previously issued certificate configured with the revoked ACME directory URL.

  2. Create a configuration directory for the new certificate.

    For example:

    C:\< ConfigDirectory >

  3. Run the command specifying the configuration directory, ACME Directory URL, HMAC key, and KID parameters.

bash 
.\certbot certonly --register-unsafely-without-email --standalone -d <Domain> --config-dir <"UniqueConfigDirectoryPath"> --server <ACMEURL> --eab-kid <KIDValue> --eab-hmac-key <HMACkeyValue>

Scenario

Timeout error

  • When the organization associated with the certificate request is not validated.
  • When the domain associated with the certificate request is not validated.
  • When the certificate request is not approved within 24 hours.
  • When the certificate approval time is greater than 90 seconds.

Solution

Before you place a certificate request:

  • Ensure that the organization is validated.

  1. Go to Certificates > Organizations.

  2. On the Organizations page, check the validation status of the organization you have requested the certificate for.

If the organization is not validated, review the request, and resubmit for validation. For more information, see Manage organizations.

  • Ensure that the domain is validated.

  1. Go to Certificates > Domains.

  2. On the Domains page, check the validation status of the domain you have requested the certificate for.

If the domain is not validated, review the request, and resubmit for validation. For more information, see Manage domains.

  • Ensure that the certificate request is approved within 24 hours the order is placed.

  1. Go to Certificates > Requests.

  2. On the Requests page, find and click the certificate order link to approve the request.

  • Ensure that the automatic approval settings for the requested certificate is enabled.

  1. Go to Settings > Preferences.

  2. On the Division Preferences page, under Advanced Settings, in the Approval Steps section, select Skip approval step: remove the approval step from your certificate order processes.

Über

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.