Troubleshooting
Troubleshooting tips for using a third-party ACME client with DigiCert ONE.
DigiCert ONE errors:
Verify all prerequisites are met. Your account must have the automation feature enabled, you must have certificate management seats available, and your user account must have the required DigiCert® Trust Lifecycle Manager user roles.
When creating an automation profile in DigiCert® Trust Lifecycle Manager, make sure the base template you select lists 3rd Party ACME client integration in the Use cases column.
Issues linking to a CertCentral account:
On the DigiCert® Trust Lifecycle Manager Integrations > Connectors page, make sure the "Status" column shows "Linked."
If you are still experiencing issues, try unlinking the connector and then re-link it.
Network/timeout errors:
Verify you can reach the ACME URL. For hosted DigiCert ONE deployments, the URL is https://one.digicert.com/mpki/api/v1/acme/v2/directory
ACME connection issues:
Verify you are using valid EAB credentials from an ACME automation profile in DigiCert® Trust Lifecycle Manager. If you are unable to verify them, you may need to regenerate the ACME credentials in DigiCert ONE.
Validation issues for public trust certificates:
Domains must support DNS-01 or HTTP-01 validation.
For OV/EV certificates, organizations must be prevalidated.
Common name in certificate does not match your server name:
Verify the Common name settings in the automation profile in DigiCert® Trust Lifecycle Manager. The common name (CN) can be configured to come from the ACME client command options ("Entered by User") or from a separate CSR file ("From CSR").
When using the "Entered by User" option with the Certbot ACME client, the first domain name entered (
-doption) is used as the common name.
Certificates not installed in the correct location:
Verify your third-party ACME client is configured to install certificates in the correct location on your server.
For the Certbot ACME client (Linux version), configuration files are found in the
/etc/letsencryptdirectory by default. A different configuration directory may be selected with the--config-dircommand-line option. If you are automating TLS management for different applications on a single host, you must specify the correct configuration directory for the current application whenever you initiate a certificate automation event.
Other ACME client issues:
Check the third-party software provider’s documentation.
For the Certbot ACME client, see https://eff-certbot.readthedocs.io
DigiCert ONE server logs for ACME:
ACME-related messages are written to the standard server logs. Select the container for the DigiCert ONE instance to check the log messages there, or from the command line check
/var/lib/docker/containers/{container_id}/logs
Important
For additional help, contact DigiCert support.