Errors
9 minute read
Errors return both an HTTP status code and an error message. Errors caused by the client return a 4xx Client Error status code. Errors caused by the API service return a 5xx Server Error status code.
Example error response
{
"errors": [
{
"code": "<error_code>",
"message": "<error_message>"
}
]
}
Response parameters
| Name | Type | Description |
|---|---|---|
| errors | array | List of errors from the request. |
| .. code | string | Error code identifying a specific error. |
| .. message | string | Description of the error. |
4xx Client Error codes
| Status | Code | Description |
|---|---|---|
| 429 | request_limit_exceeded | Service unavailable, please limit request volume. See Rate limits. |
| 404 | not_found | Generic 404 message. Make sure the endpoint URL is properly constructed. |
| 404 | not_found | order |
| 404 | not_found | product |
| 404 | not_found | route |
| 403 | access_denied | missing_permission |
| 400 | ambiguous_product | The product.type_hint value could not be used to determine a product. See Submit order – Request parameters table. |
| 400 | auth_key_exists_for_account | An AuthKey has already been created for your account. |
| 400 | bad_request_format | The request body is malformed. Make sure the request body uses valid JSON or XML. |
| 400 | caa_check_failed | variable |
| 400 | caa_not_found | variable |
| 400 | cannot_activate_domain_lock | Cannot activate domain locking for the domain. Enable domain locking for your account and try again. |
| 400 | cannot_archive_primary_certificate | The primary certificate on an order cannot be archived. In your Archive certificate request, make sure the certificate ID is not for the primary certificate on an order and try again. |
| 400 | cannot_deactivate_domain_lock | Cannot deactivate domain locking for the domain. Enable domain locking for your account and try again. |
| 400 | cert_transparency_turned_off_for_account | CT logging has been disabled for your CertCentral account. An administrator must enable this feature. |
| 400 | cert_validity_exceeds_order_validity | The validity period of the certificate cannot exceed the validity period of the order. |
| 400 | csr_invalid_cannot_parse | The CSR is not in the correct format, is missing required fields, or contains fields with invalid characters. See Create a CSR |
| 400 | csr_invalid_key_size_client_cert | The CSR for the client certificate has too small a key. An RSA CSR for a client certificate must have a key size of 2048, 3072, or 4096. |
| 400 | csr_invalid_key_size_code_signing | CSRs for code signing certificates must be ECC P-256 or RSA 3072-bit key sizes or larger. Generate a new CSR and submit another request. |
| 400 | csr_not_allowed | The specified product does not use a CSR. See Glossary – CSR requirements. |
| 400 | csr_safenet_cc_invalid_csr_key_size | CSR key size is not compatible with the hardware token in the request. SafeNet eToken 5110 CC hardware tokens require CSRs with an RSA 4096 or ECC P-256 key. Generate a new CSR with a compatible key size. |
| 400 | csr_safenet_fips_requires_ecc_key | CSR key size is not compatible with the hardware token in the request. SafeNet eToken 5110 FIPS hardware tokens require CSRs with an ECC key. Generate a new CSR with an ECC key type or request the certificate for a platform that is compatible with your CSR (see Glossary – EV Code Signing Certificates). |
| 400 | ct_logging_disabled | CT logging has been disabled for your CertCentral account. An administrator must enable this feature. |
| 400 | custom_expiration_not_allowed | Allowed validity periods are configured for the product type. Remove the restrictions to allow custom expiration dates. |
| 400 | disabled_domain | The submitted domain is deactivated. You must activate the domain before you can submit it. See Activate domain. |
| 400 | dns_entry_missing | variable |
| 400 | dns_internal_error | variable |
| 400 | dns_invalid_domain | variable |
| 400 | dns_invalid_entry | variable |
| 400 | dns_lookup_timeout_caa | variable |
| 400 | dns_mismatch | variable |
| 400 | domain_locked | variable |
| 400 | domain_not_allowed | Domain restrictions are configured for the specified container. |
| 400 | domains_not_prevalidated | variable |
| 400 | email_domain_not_validated | Email must have a validated domain. |
| 400 | email_not_valid_email_format | The submitted email address is not valid. Make sure the submitted email address follows standard email address conventions. |
| 400 | file_incorrect_content | variable |
| 400 | file_invalid_format | variable |
| 400 | file_not_found | variable |
| 400 | file_outdated_content | variable |
| 400 | file_random_value_not_found | Unable to find the random value at the expected file location for the domain. Make sure: |
| 400 | file_server_not_reachable | variable |
| 400 | inactive_organization | The submitted organization is deactivated. Activate the organization or specify a different organization. See Activate organization. |
| 400 | internal_data_check_failed | variable |
| 400 | internal_names_not_allowed | |
| 400 | invalid_caa_entry | variable |
| 400 | invalid_ca_cert_id | The specified Certificate Authority is not valid. |
| 400 | invalid_chars:<param.name> | The specified parameter contains invalid characters. Refer to the endpoint’s Response parameters table for valid input characters. |
| 400 | invalid_cname_whitelist | variable |
| 400 | invalid_cname_validation | variable |
| 400 | invalid_common_name_on_duplicate | The common name on duplicate requests must match what was on the original order. Refer to the original order for the correct common name. |
| 400 | invalid_wildcard_dcv_method | The DCV method in the request (http-token) cannot be used to validate wildcard domain names. Submit the request using another supported DCV method. For more information, see File-based domain control validation (http-token). |
| 400 | invalid_dns_cname | variable |
| 400 | invalid_dns_method | The DCV method for the order is set to email. |
| 400 | invalid_dns_name_on_duplicate | The DNS name on duplicate requests must match what was on the original order. Refer to the original order for the correct DNS name. |
| 400 | invalid_dns_txt | Unable to find a valid DNS TXT record for the domain. Make sure: |
| 400 | invalid_payment_method | The specified payment method is not enabled. To use the specified payment request, you must enable it in your account. |
| 400 | invalid_value:<param.name> | The specified parameter contains an invalid value. Refer to the endpoint’s Response parameters table for valid input values. |
| 400 | invalid_value:validity_years | The specified parameter contains an invalid value for the time span allowed. This can occur when the number of years specified is not permitted because the span exceeds what the order allows (for example, more than three years for a code signing certificate), or what is set as the limit at the account level by an admin. Additionally, this error may occur when the order validity is set with a custom_expiration_date and an admin for the account has already applied a limit to the allowed order validity period. When an admin applies this limit, the option to set a custom expiration date is disabled for the product using order_validity.days or order_validity.custom_expiration.date. |
| 400 | malformed_cname_target | variable |
| 400 | missing_ca_cert_id | The certificate authority ID is required for this request. Specify the certificate authority to issue the certificate from and resend your request. |
| 400 | missing_dns_name_on_duplicate | The DNS name is missing from the request. DNS names cannot be removed on duplicate orders. Resend the request with the DNS name included. |
| 400 | missing_request_data | No body was sent with the request. Refer to the endpoint’s documentation for request requirements. |
| 400 | missing_required_custom_field | The request body is missing a required custom field. To get a list of custom order field metadata for your account, see List custom fields. |
| 400 | no_private_ca_enabled | No private certificate authorities are enabled for the account. |
| 400 | not_allowed_to_change_ct_setting_per_order | The per certificate order feature has not been activated for your CertCentral account. An administrator must enable this feature. |
| 400 | note_contains_private_key | Never share private keys with any third party, including DigiCert. Remove the private key and try again. |
| 400 | order_not_eligible_for_duplicate | Duplicates are not allowed for the specified order. |
| 400 | order_not_eligible_for_renewal | Order not eligible for renewal. Returned for SSL certificate order requests when the order to renew ( renewal_of_order_id) is not within the renewal window. Wait until the order is within the renewal window and try again. |
| 400 | order_renewed_already | Order not eligible for renewal. Returned for SSL certificate order requests when the order to renew ( renewal_of_order_id) has already been renewed.An order can only be renewed once. Submit a new certificate order request, or use the Order info API to get the order ID of the renewed order ( was_renewed_by_order_id). |
| 400 | other_domain_on_wildcard | All SANs on a wildcard certificate must have the same common name. Either change the SANs to use the same common name or order a multi-domain certificate. |
| 400 | pending_account_merge_completion | DigiCert is processing a request to merge the account that sent the request with another CertCentral account. While the merge is in progress, the accounts being merged cannot: To perform these operations, wait until the merge is complete. Submit a new request from the account that persists after the merge. |
| 400 | pending_reissue | A previous reissue request is still pending for the order. You must reject or approve and issue the pending request before a new reissue request can be placed. |
| 400 | product_name_limit_exceeded | You have exceeded the number of names allowed on this product. |
| 400 | product_not_allowed | This product is not allowed. |
| 400 | protected_domain | One or more domains listed on this certificate request are protected by the domain owner. Modify the domains and resubmit the request. |
| 400 | required_param: | The specified parameter is required. Refer to the endpoint’s Response parameters table to identify required and optional parameters. |
| 400 | rfc5280_common_name_invalid | The submitted common name does not conform to industry standards. |
| 400 | rfc5280_common_name_too_long | Common name must be less than 64 characters in order to be compliant with industry standards. |
| 400 | rfc5280_org_unit_too_long | Organization units must be less than 64 characters in order to be compliant with industry standards. |
| 400 | rfc5280_org_name_too_long | Organization name total length (including Assumed Name for EV certificates) must be less than 64 characters in order to be compliant with industry standards. |
| 400 | rfc5280_address_field_too_long | Address fields must be less than 64 characters in order to be compliant with industry standards. |
| 400 | rfc5280_org_unit_invalid | The org unit field contains an invalid value according to industry standards. |
| 400 | rfc5280_org_invalid | One or more fields on the organization contains invalid values according to industry standards. |
| 400 | va_not_eligible_order | The request failed for one of the following reasons: |
| 400 | va_not_eligible_product | The request failed because the product does not support vulnerability assessments. For a list of products that support vulnerability assessments, see Vulnerability assessments – Supported products. |
| 400 | va_order_not_found | No data found for the submitted request. Make sure you are using the correct order ID, then try again. |
| 400 | va_order_already_enabled | Vulnerability assessments are already enabled for the order. |
| 400 | va_order_not_enabled | Vulnerability assessments are not enabled for the order. Make sure you are using the correct order ID and that vulnerability assessments are enabled, then try again. |
| 400 | va_domain_not_found | The domain in the request is not included on the specified order. Make sure you are using the correct domain and order ID, then try again. |
| 400 | va_email_recipient_not_found | No email recipient found on the order. |
| 400 | va_bad_request | The request is not formatted correctly. Make sure the filter parameters and URL query strings in your request are formatted correctly, then try again. |
| 400 | vmc_logo_unable_to_decode | Logo could not be decoded. Use one of these endpoints to make sure the logo meets formatting requirements for VMC, and then try again: |
| 400 | vmc_logo_size_exceeded | variable |
| 400 | need_vmc_logo | To add or modify trademark details, you must first upload a logo for the order. New VMC order requests can only include a trademark country code or registration number if they also include a logo. If you receive this error when submitting a new VMC order request, do one of the following: |
| 400 | cannot_modify_approved_logo | The logo is already validated and approved. You cannot change the trademark country code or registration number for an approved VMC logo. |
| 400 | order_not_pending | Requested operation can only be performed on orders with a pending status. |
| 400 | invalid_vmc_logo | Logo does not meet the formatting requirements for VMC certificates. Fix the formatting issues described in the error message and try again. |
| 400 | username_unavailable | The specified username is not available. |
| 400 | user_cannot_access_organization | The user does not have access to the organization. |
Was this page helpful?
Provide feedback