Troubleshoot post-processing scripts
System script execution issues
The following table describes common issues with system post-processing scripts and the probable cause and solution for each.
Issue description | Applicable script(s) | Probable cause | Solution |
|---|---|---|---|
Unable to retrieve the target certificate from the user's personal certificate store. | | The script cannot access the certificate. | If using a DigiCert software token, try registering the token using the Quick actions menu in DigiCert Software Keystore, then try rerunning the failed script. If using a YubiKey hardware token, try re-inserting the token and then rerunning the failed script. |
Unable to obtain the X.509 trust chain status for the target certificate. | | The issuing CA trust chain of the certificate is not accessible or unknown. | Try rerunning the failed script. If the issue persists, contact your administrator for further assistance. |
The X.509 trust chain validation for the target certificate has failed. | | The issuing CA trust chain of the certificate is not validated. | Review the DigiCert Trust Assistant logs for any reports indicating chain validation failures and contact your administrator for assistance. Try rerunning the failed script once trust chain validation is in place. |
The script signature verification failed. | | The script signature is not valid. | Rerunning the failed script may not help. Review the DigiCert Trust Assistant logs thoroughly to get more details about the script signature status and contact your administrator for assistance. |
The script execution was terminated (SIGTERM). | | The script execution did not finish within the specified time. The default script timeout value is 10 seconds and is configurable. | Increase the default script timeout value and then try rerunning the failed script. See Configure post-processing script timeout in DigiCert Trust Assistant for more details or contact your administrator for assistance. |
Outlook is not installed. | | The Microsoft Outlook application is not installed on the target system. | Make sure the 64-bit version of Microsoft Outlook is installed and working correctly. |
Invalid S/MIME certificate — certificate key usage (KU) is empty. | | The key usage (KU) value in the certificate is empty. | Rerunning the failed script may not help. Contact your administrator for assistance. |
Invalid S/MIME certificate — the certificate key usage (KU) does not contain the required field(s). | | The key usage (KU) value in the certificate does not contain the required fields(s). | Rerunning the failed script may not help. Contact your administrator for assistance. |
Invalid S/MIME certificate — certificate extended key usage (EKU) is empty. | | The extended key usage (EKU) value in the certificate is empty. | Rerunning the failed script may not help. Contact your administrator for assistance. |
Invalid S/MIME certificate — the certificate extended key usage (EKU) does not contain the required field(s). | | The extended key usage (EKU) value in the certificate does not contain the required fields(s) | Rerunning the failed script may not help. Contact your administrator for assistance. |
The Outlook account email address does not match the email address in the certificate's Common Name (CN) or Subject Alternative Name (SAN). | | The certificate contains a different email address than the one configured in your installed Outlook email account. | Make sure the Microsoft Outlook application is configured with the correct email account. Try rerunning the script once the Outlook email account is configured correctly. If the issue persists, contact your administrator for further assistance. |
The current user does not appear to be part of any Active Directory (AD) domain. | | The user is not connected to any AD domain. The script makes use of USERDNSDOMAIN environment variable to get the AD domain. | Make sure the required environment variable is set correctly. Try rerunning the script once configured correctly. If the issue persists, contact your administrator for further assistance. |
Unable to retrieve the current user's Distinguished Name (DN). | | The script cannot access the user’s Distinguished Name (DN). The script makes use of Microsoft Windows security identifiers (SIDs) to fetch the DN. | Rerunning the failed script may not help. Contact your administrator for assistance. |
Unable to publish the certificate to Active Directory (AD). | | The LDAP connection to AD is invalid or unstable. The script makes use of non-TLS connection on port 389. | Make sure the LDAP connection to the AD is stable. Review the DigiCert Trust Assistant logs to get more details about the issue and contact your administrator for further assistance. |
The script encountered an unknown error during execution. | | General error message if the issue does not fall under any of the other error scenarios. | Review the DigiCert Trust Assistant logs to get more details about the issue and contact your administrator for further assistance. |