Skip to main content

Troubleshooting

Troubleshooting tips for using a third-party ACME client with DigiCert ONE.

DigiCert ONE errors:

  • Verify all prerequisites are met. Your account must have the automation feature enabled, you must have certificate management seats available, and your user account must have the required DigiCert​​®​​ Trust Lifecycle Manager user roles.

  • When creating an automation profile in DigiCert​​®​​ Trust Lifecycle Manager, make sure the base template you select lists 3rd Party ACME client integration in the Use cases column.

Issues linking to a CertCentral account:

  • On the DigiCert​​®​​ Trust Lifecycle Manager Integrations > Connectors page, make sure the "Status" column shows "Linked."

  • If you are still experiencing issues, try unlinking the connector and then re-link it.

Network/timeout errors:

ACME connection issues:

  • Verify you are using valid EAB credentials from an ACME automation profile in DigiCert​​®​​ Trust Lifecycle Manager. If you are unable to verify them, you may need to regenerate the ACME credentials in DigiCert ONE.

Validation issues for public trust certificates:

  • Domains must support DNS-01 or HTTP-01 validation.

  • For OV/EV certificates, organizations must be prevalidated.

Common name in certificate does not match your server name:

  • Verify the Common name settings in the automation profile in DigiCert​​®​​ Trust Lifecycle Manager. The common name (CN) can be configured to come from the ACME client command options ("Entered by User") or from a separate CSR file ("From CSR").

  • When using the "Entered by User" option with the Certbot ACME client, the first domain name entered (-d option) is used as the common name.

Certificates not installed in the correct location:

  • Verify your third-party ACME client is configured to install certificates in the correct location on your server.

  • For the Certbot ACME client (Linux version), configuration files are found in the /etc/letsencrypt directory by default. A different configuration directory may be selected with the --config-dir command-line option. If you are automating TLS management for different applications on a single host, you must specify the correct configuration directory for the current application whenever you initiate a certificate automation event.

Other ACME client issues:

DigiCert ONE server logs for ACME:

  • ACME-related messages are written to the standard server logs. Select the container for the DigiCert ONE instance to check the log messages there, or from the command line check /var/lib/docker/containers/{container_id}/logs

Important

For additional help, contact DigiCert support.