Errors
Errors return both an HTTP status code and an error message. Errors caused by the client return a 4xx Client Error status code. Errors caused by the API service return a 5xx Server Error status code.
Example error response
{ "errors": [ { "code": "<error_code>", "message": "<error_message>" } ] }
Response parameters
Name | Type | Description |
---|---|---|
errors | array | List of errors from the request. |
.. code | string | Error code identifying a specific error. |
.. message | string | Description of the error. |
4xx Client Error codes
Status | Code | Description |
---|---|---|
429 | request_limit_exceeded | Service unavailable, please limit request volume. See Rate limits. |
404 | not_found | Generic 404 message. Make sure the endpoint URL is properly constructed. |
404 | not_found|order | The specified order was not found. Make sure:
|
404 | not_found|product | The specified product was not found. Make sure you are using the correct product identifier. See Glossary - Product identifiers. |
404 | not_found|route | The endpoint does not exist. Make sure the endpoint URL you are using is correct. |
403 | access_denied|missing_permission | The API key you are using does not have permission to carry out the request. Send a GET request to the |
400 | ambiguous_product | The |
400 | auth_key_exists_for_account | An AuthKey has already been created for your account. |
400 | bad_request_format | The request body is malformed. Make sure the request body uses valid JSON or XML. |
400 | caa_check_failed|variable | CAA check failed. Make sure the CAA resource records for the domain are configured correctly. For more information, see DNS CAA resource record checks. |
400 | caa_not_found|variable | CAA check failed. Make sure the CAA resource records for the domain are configured correctly. For more information, see DNS CAA resource record checks. |
400 | cannot_activate_domain_lock | Cannot activate domain locking for the domain. Enable domain locking for your account and try again. |
400 | cannot_archive_primary_certificate | The primary certificate on an order cannot be archived. In your Archive certificate request, make sure the certificate ID is not for the primary certificate on an order and try again. |
400 | cannot_deactivate_domain_lock | Cannot deactivate domain locking for the domain. Enable domain locking for your account and try again. |
400 | cert_transparency_turned_off_for_account | CT logging has been disabled for your CertCentral account. An administrator must enable this feature. |
400 | cert_validity_exceeds_order_validity | The validity period of the certificate cannot exceed the validity period of the order. |
400 | csr_invalid_cannot_parse | The CSR is not in the correct format, is missing required fields, or contains fields with invalid characters. See Create a CSR |
400 | csr_invalid_key_size_client_cert | The CSR for the client certificate has too small a key. An RSA CSR for a client certificate must have a key size of 2048, 3072, or 4096. |
400 | csr_invalid_key_size_code_signing | CSRs for code signing certificates must be ECC P-256 or RSA 3072-bit key sizes or larger. Generate a new CSR and submit another request. |
400 | csr_not_allowed | The specified product does not use a CSR. See Glossary – CSR requirements. |
400 | csr_safenet_cc_invalid_csr_key_size | CSR key size is not compatible with the hardware token in the request. SafeNet eToken 5110 CC hardware tokens require CSRs with an RSA 4096 or ECC P-256 key. Generate a new CSR with a compatible key size. |
400 | csr_safenet_fips_requires_ecc_key | CSR key size is not compatible with the hardware token in the request. SafeNet eToken 5110 FIPS hardware tokens require CSRs with an ECC key. Generate a new CSR with an ECC key type or request the certificate for a platform that is compatible with your CSR (see Glossary – EV Code Signing Certificates). |
400 | ct_logging_disabled | CT logging has been disabled for your CertCentral account. An administrator must enable this feature. |
400 | custom_expiration_not_allowed | Allowed validity periods are configured for the product type. Remove the restrictions to allow custom expiration dates. |
400 | disabled_domain | The submitted domain is deactivated. You must activate the domain before you can submit it. See Activate domain. |
400 | dns_entry_missing|variable | Expected value not found on the DNS TXT record for the domain. Make sure the request token for the DNS TXT record is valid. |
400 | dns_internal_error|variable | Unable to process request. Please try again. |
400 | dns_invalid_domain|variable | The domain is invalid. Make sure the domain string is correct. |
400 | dns_invalid_entry|variable | Invalid DNS TXT record. Make sure the DNS TXT record exists and has a valid request token. For more information about generating a request token for immediate DV certificate issuance, see DV certificate immediate issuance - How to generate your request token. |
400 | dns_lookup_timeout_caa|variable | CAA check failed. Make sure the CAA resource records for the domain are configured correctly. For more information, see DNS CAA resource record checks. |
400 | dns_mismatch|variable | No DNS TXT record found for the domain. Make sure a valid DNS TXT record exists for the domain. |
400 | domain_locked|variable | The common name or one or more subject alternative names on the certificate order request are locked by another CertCentral account. Learn more about domain locking: |
400 | domain_not_allowed | Domain restrictions are configured for the specified container. |
400 | domains_not_prevalidated|variable|variable | Returns if:
In this error code:
Make sure the order only includes prevalidated domains and resubmit the request, or contact your account administrator. |
400 | email_domain_not_validated | Email must have a validated domain. |
400 | email_not_valid_email_format | The submitted email address is not valid. Make sure the submitted email address follows standard email address conventions. |
400 | file_incorrect_content|variable | Expected content not found in the fileauth.txt file for the domain. Make sure the content of the fileauth.txt file is formatted correctly. For more information about hosting the fileauth.txt file for immediate DV certificate issuance, see DV Certificate Immediate Issuance – File Auth. |
400 | file_invalid_format|variable | The fileauth.txt file for the domain is not formatted correctly. Check that you are using the correct file format and request token. For more information about hosting the fileauth.txt file for immediate DV certificate issuance, see DV Certificate Immediate Issuance – File Auth. |
400 | file_not_found|variable | Could not find a fileauth.txt file for the domain. Make sure a valid filauth.txt file is hosted in the right location, and check that the domain string is correct. For more information about hosting the fileauth.txt file for immediate DV certificate issuance, see DV Certificate Immediate Issuance – File Auth. |
400 | file_outdated_content|variable | The timestamp in the request token is invalid. Make sure you have formatted the timestamp and request token correctly, and check that the timestamp has not expired. For more information about creating timestamps and generating request tokens for immediate DV certificate issuance, see DV certificate immediate issuance. |
400 | file_random_value_not_found | Unable to find the random value at the expected file location for the domain. Make sure:
|
400 | file_server_not_reachable|variable | Could not reach the server for the domain. Make sure the domain string is correct, and check that your server is configured correctly. |
400 | inactive_organization | The submitted organization is deactivated. Activate the organization or specify a different organization. See Activate organization. |
400 | internal_data_check_failed|variable | Unable to process request. Please try again. |
400 | internal_names_not_allowed | |
400 | invalid_caa_entry|variable | CAA check failed. Make sure the CAA resource records for the domain are configured correctly. For more information, see DNS CAA resource record checks. |
400 | invalid_ca_cert_id | The specified Certificate Authority is not valid. |
400 | invalid_chars:<param.name> | The specified parameter contains invalid characters. Refer to the endpoint's Response parameters table for valid input characters. |
400 | invalid_cname_whitelist|variable | When using the CNAME Target (also known as CNAME Delegation) DCV method, the target domain on the CNAME record is not in the allowlist. To set the domain on the CNAME record as an allowed target for CNAME delegation, contact DigiCert Support. |
400 | invalid_cname_validation|variable | When using the CNAME Target (also known as CNAME Delegation) DCV method, the target domain on the CNAME record is not validated. Submit the domain on the CNAME record for validation and complete the DCV check before you try again. For help, contact DigiCert Support. |
400 | invalid_common_name_on_duplicate | The common name on duplicate requests must match what was on the original order. Refer to the original order for the correct common name. |
400 | invalid_wildcard_dcv_method | The DCV method in the request ( |
400 | invalid_dns_cname|variable | Unable to find a valid DNS CNAME record for the domain. Make sure the CNAME record is constructed correctly and exists on the right domain before you try again. For help, contact DigiCert Support. |
400 | invalid_dns_method | The DCV method for the order is set to email. |
400 | invalid_dns_name_on_duplicate | The DNS name on duplicate requests must match what was on the original order. Refer to the original order for the correct DNS name. |
400 | invalid_dns_txt | Unable to find a valid DNS TXT record for the domain. Make sure:
|
400 | invalid_payment_method | The specified payment method is not enabled. To use the specified payment request, you must enable it in your account. |
400 | invalid_value:<param.name> | The specified parameter contains an invalid value. Refer to the endpoint's Response parameters table for valid input values. |
400 | invalid_value:validity_years | The specified parameter contains an invalid value for the time span allowed. This can occur when the number of years specified is not permitted because the span exceeds what the order allows (for example, more than three years for a code signing certificate), or what is set as the limit at the account level by an admin. Additionally, this error may occur when the order validity is set with a |
400 | malformed_cname_target|variable | When using the CNAME Target (also known as CNAME Delegation) DCV method, DigiCert could not process the CNAME record because it contains a malformed target domain. Make sure the target domain on your CNAME record is constructed correctly and try again. For help, contact DigiCert Support. |
400 | missing_ca_cert_id | The certificate authority ID is required for this request. Specify the certificate authority to issue the certificate from and resend your request. |
400 | missing_dns_name_on_duplicate | The DNS name is missing from the request. DNS names cannot be removed on duplicate orders. Resend the request with the DNS name included. |
400 | missing_request_data | No body was sent with the request. Refer to the endpoint's documentation for request requirements. |
400 | missing_required_custom_field | The request body is missing a required custom field. To get a list of custom order field metadata for your account, see List custom fields. |
400 | no_private_ca_enabled | No private certificate authorities are enabled for the account. |
400 | not_allowed_to_change_ct_setting_per_order | The per certificate order feature has not been activated for your CertCentral account. An administrator must enable this feature. |
400 | note_contains_private_key | Never share private keys with any third party, including DigiCert. Remove the private key and try again. |
400 | order_not_eligible_for_duplicate | Duplicates are not allowed for the specified order. |
400 | order_not_eligible_for_renewal | Order not eligible for renewal. Returned for SSL certificate order requests when the order to renew ( |
400 | order_renewed_already | Order not eligible for renewal. Returned for SSL certificate order requests when the order to renew ( An order can only be renewed once. Submit a new certificate order request, or use the Order info API to get the order ID of the renewed order ( |
400 | other_domain_on_wildcard | All SANs on a wildcard certificate must have the same common name. Either change the SANs to use the same common name or order a multi-domain certificate. |
400 | pending_account_merge_completion | DigiCert is processing a request to merge the account that sent the request with another CertCentral account. While the merge is in progress, the accounts being merged cannot:
To perform these operations, wait until the merge is complete. Submit a new request from the account that persists after the merge. |
400 | pending_reissue | A previous reissue request is still pending for the order. You must reject or approve and issue the pending request before a new reissue request can be placed. |
400 | product_name_limit_exceeded | You have exceeded the number of names allowed on this product. |
400 | product_not_allowed | This product is not allowed. |
400 | protected_domain | One or more domains listed on this certificate request are protected by the domain owner. Modify the domains and resubmit the request. |
400 | required_param: | The specified parameter is required. Refer to the endpoint's Response parameters table to identify required and optional parameters. |
400 | rfc5280_common_name_invalid | The submitted common name does not conform to industry standards. |
400 | rfc5280_common_name_too_long | Common name must be less than 64 characters in order to be compliant with industry standards. |
400 | rfc5280_org_unit_too_long | Organization units must be less than 64 characters in order to be compliant with industry standards. |
400 | rfc5280_org_name_too_long | Organization name total length (including Assumed Name for EV certificates) must be less than 64 characters in order to be compliant with industry standards. |
400 | rfc5280_address_field_too_long | Address fields must be less than 64 characters in order to be compliant with industry standards. |
400 | rfc5280_org_unit_invalid | The org unit field contains an invalid value according to industry standards. |
400 | rfc5280_org_invalid | One or more fields on the organization contains invalid values according to industry standards. |
400 | va_not_eligible_order | The request failed for one of the following reasons:
|
400 | va_not_eligible_product | The request failed because the product does not support vulnerability assessments. For a list of products that support vulnerability assessments, see Vulnerability assessments – Supported products. |
400 | va_order_not_found | No data found for the submitted request. Make sure you are using the correct order ID, then try again. |
400 | va_order_already_enabled | Vulnerability assessments are already enabled for the order. |
400 | va_order_not_enabled | Vulnerability assessments are not enabled for the order. Make sure you are using the correct order ID and that vulnerability assessments are enabled, then try again. |
400 | va_domain_not_found | The domain in the request is not included on the specified order. Make sure you are using the correct domain and order ID, then try again. |
400 | va_email_recipient_not_found | No email recipient found on the order. |
400 | va_bad_request | The request is not formatted correctly. Make sure the filter parameters and URL query strings in your request are formatted correctly, then try again. |
400 | vmc_logo_unable_to_decode | Logo could not be decoded. Use one of these endpoints to make sure the logo meets formatting requirements for VMC, and then try again: |
400 | vmc_logo_size_exceeded|variable | Logo exceeds the maximum size allowed for VMC certificate orders. Resize the logo to be smaller than the size returned in the error message and try again. |
400 | need_vmc_logo | To add or modify trademark details, you must first upload a logo for the order. New VMC order requests can only include a trademark country code or registration number if they also include a logo. If you receive this error when submitting a new VMC order request, do one of the following:
|
400 | cannot_modify_approved_logo | The logo is already validated and approved. You cannot change the trademark country code or registration number for an approved VMC logo. |
400 | order_not_pending | Requested operation can only be performed on orders with a pending status. |
400 | invalid_vmc_logo | Logo does not meet the formatting requirements for VMC certificates. Fix the formatting issues described in the error message and try again. |
400 | username_unavailable | The specified username is not available. |