Skip to main content

Errors

Errors return both an HTTP status code and an error message. Errors caused by the client return a 4xx Client Error status code. Errors caused by the API service return a 5xx Server Error status code.

Example error response

{
  "errors": [
    {
      "code": "<error_code>",
      "message": "<error_message>"
    }
  ]
}

Response parameters

Name

Type

Description

errors

array

List of errors from the request.

.. code

string

Error code identifying a specific error.

.. message

string

Description of the error.

4xx Client Error codes

Status

Code

Description

429

request_limit_exceeded

Service unavailable, please limit request volume. See Rate limits.

404

not_found

Generic 404 message. Make sure the endpoint URL is properly constructed.

404

not_found|order

The specified order was not found. Make sure:

  • The SSL/TLS certificate order ID is correct.

  • The SSL/TLS certificate has been migrated to your CertCentral account.

404

not_found|product

The specified product was not found. Make sure you are using the correct product identifier. See Glossary - Product identifiers.

404

not_found|route

The endpoint does not exist. Make sure the endpoint URL you are using is correct.

403

access_denied|missing_permission

The API key you are using does not have permission to carry out the request. Send a GET request to the /user/me endpoint and find the access_roles.name value to identify the key's authorization level.

400

ambiguous_product

The product.type_hint value could not be used to determine a product. See Submit order – Request parameters table.

400

auth_key_exists_for_account

An AuthKey has already been created for your account.

400

bad_request_format

The request body is malformed. Make sure the request body uses valid JSON or XML.

400

caa_check_failed|variable

CAA check failed. Make sure the CAA resource records for the domain are configured correctly. For more information, see DNS CAA resource record checks.

400

caa_not_found|variable

CAA check failed. Make sure the CAA resource records for the domain are configured correctly. For more information, see DNS CAA resource record checks.

400

cannot_activate_domain_lock

Cannot activate domain locking for the domain. Enable domain locking for your account and try again.

400

cannot_archive_primary_certificate

The primary certificate on an order cannot be archived. In your Archive certificate request, make sure the certificate ID is not for the primary certificate on an order and try again.

400

cannot_deactivate_domain_lock

Cannot deactivate domain locking for the domain. Enable domain locking for your account and try again.

400

cert_transparency_turned_off_for_account

CT logging has been disabled for your CertCentral account. An administrator must enable this feature.

400

cert_validity_exceeds_order_validity

The validity period of the certificate cannot exceed the validity period of the order.

400

csr_invalid_cannot_parse

The CSR is not in the correct format, is missing required fields, or contains fields with invalid characters. See Create a CSR

400

csr_invalid_key_size_client_cert

The CSR for the client certificate has too small a key. An RSA CSR for a client certificate must have a key size of 2048, 3072, or 4096.

400

csr_invalid_key_size_code_signing

CSRs for code signing certificates must be ECC P-256 or RSA 3072-bit key sizes or larger. Generate a new CSR and submit another request.

400

csr_not_allowed

The specified product does not use a CSR. See Glossary – CSR requirements.

400

csr_safenet_cc_invalid_csr_key_size

CSR key size is not compatible with the hardware token in the request. SafeNet eToken 5110 CC hardware tokens require CSRs with an RSA 4096 or ECC P-256 key. Generate a new CSR with a compatible key size.

400

csr_safenet_fips_requires_ecc_key

CSR key size is not compatible with the hardware token in the request. SafeNet eToken 5110 FIPS hardware tokens require CSRs with an ECC key. Generate a new CSR with an ECC key type or request the certificate for a platform that is compatible with your CSR (see Glossary – EV Code Signing Certificates).

400

ct_logging_disabled

CT logging has been disabled for your CertCentral account. An administrator must enable this feature.

400

custom_expiration_not_allowed

Allowed validity periods are configured for the product type. Remove the restrictions to allow custom expiration dates.

400

disabled_domain

The submitted domain is deactivated. You must activate the domain before you can submit it. See Activate domain.

400

dns_entry_missing|variable

Expected value not found on the DNS TXT record for the domain. Make sure the request token for the DNS TXT record is valid.

400

dns_internal_error|variable

Unable to process request. Please try again.

400

dns_invalid_domain|variable

The domain is invalid. Make sure the domain string is correct.

400

dns_invalid_entry|variable

Invalid DNS TXT record. Make sure the DNS TXT record exists and has a valid request token.

For more information about generating a request token for immediate DV certificate issuance, see DV certificate immediate issuance - How to generate your request token.

400

dns_lookup_timeout_caa|variable

CAA check failed. Make sure the CAA resource records for the domain are configured correctly. For more information, see DNS CAA resource record checks.

400

dns_mismatch|variable

No DNS TXT record found for the domain. Make sure a valid DNS TXT record exists for the domain.

400

domain_locked|variable

The common name or one or more subject alternative names on the certificate order request are locked by another CertCentral account. 

Learn more about domain locking:

400

domain_not_allowed

Domain restrictions are configured for the specified container.

400

domains_not_prevalidated|variable|variable

Returns if:

  • The account is configured to only accept certificate order requests for prevalidated domains.

  • You request a certificate for domains not prevalidated for the organization on the order.

In this error code:

  • The first variable is a list of the domains that are not prevalidated.

  • The second variable is the organization on the order.

Make sure the order only includes prevalidated domains and resubmit the request, or contact your account administrator.

400

email_domain_not_validated

Email must have a validated domain.

400

email_not_valid_email_format

The submitted email address is not valid. Make sure the submitted email address follows standard email address conventions.

400

file_incorrect_content|variable

Expected content not found in the fileauth.txt file for the domain. Make sure the content of the fileauth.txt file is formatted correctly.

For more information about hosting the fileauth.txt file for immediate DV certificate issuance, see DV Certificate Immediate Issuance – File Auth.

400

file_invalid_format|variable

The fileauth.txt file for the domain is not formatted correctly. Check that you are using the correct file format and request token.

For more information about hosting the fileauth.txt file for immediate DV certificate issuance, see DV Certificate Immediate Issuance – File Auth.

400

file_not_found|variable

Could not find a fileauth.txt file for the domain. Make sure a valid filauth.txt file is hosted in the right location, and check that the domain string is correct.

For more information about hosting the fileauth.txt file for immediate DV certificate issuance, see DV Certificate Immediate Issuance – File Auth.

400

file_outdated_content|variable

The timestamp in the request token is invalid. Make sure you have formatted the timestamp and request token correctly, and check that the timestamp has not expired.

For more information about creating timestamps and generating request tokens for immediate DV certificate issuance, see DV certificate immediate issuance.

400

file_random_value_not_found

Unable to find the random value at the expected file location for the domain. Make sure:

  • .txt file name is fileauth.txt.

  • fileauth.txt file was placed under .well-known/pki-validation/ Example URL: http://[yourdomain]/.well-known/pki-validation/fileauth.txt

  • Random value in the fileauth.txt file matches the DigiCert provide random value.

400

file_server_not_reachable|variable

Could not reach the server for the domain. Make sure the domain string is correct, and check that your server is configured correctly.

400

inactive_organization

The submitted organization is deactivated. Activate the organization or specify a different organization. See Activate organization.

400

internal_data_check_failed|variable

Unable to process request. Please try again.

400

internal_names_not_allowed

400

invalid_caa_entry|variable

CAA check failed. Make sure the CAA resource records for the domain are configured correctly. For more information, see DNS CAA resource record checks.

400

invalid_ca_cert_id

The specified Certificate Authority is not valid.

400

invalid_chars:<param.name>

The specified parameter contains invalid characters. Refer to the endpoint's Response parameters table for valid input characters.

400

invalid_cname_whitelist|variable

When using the CNAME Target (also known as CNAME Delegation) DCV method, the target domain on the CNAME record is not in the allowlist. To set the domain on the CNAME record as an allowed target for CNAME delegation, contact DigiCert Support.

400

invalid_cname_validation|variable

When using the CNAME Target (also known as CNAME Delegation) DCV method, the target domain on the CNAME record is not validated. Submit the domain on the CNAME record for validation and complete the DCV check before you try again. For help, contact DigiCert Support.

400

invalid_common_name_on_duplicate

The common name on duplicate requests must match what was on the original order. Refer to the original order for the correct common name.

400

invalid_wildcard_dcv_method

The DCV method in the request (http-token) cannot be used to validate wildcard domain names. Submit the request using another supported DCV method. For more information, see File-based domain control validation (http-token).

400

invalid_dns_cname|variable

Unable to find a valid DNS CNAME record for the domain. Make sure the CNAME record is constructed correctly and exists on the right domain before you try again. For help, contact DigiCert Support.

400

invalid_dns_method

The DCV method for the order is set to email.

400

invalid_dns_name_on_duplicate

The DNS name on duplicate requests must match what was on the original order. Refer to the original order for the correct DNS name.

400

invalid_dns_txt

Unable to find a valid DNS TXT record for the domain. Make sure:

  • DNS TXT record changes are live.

  • Random value in the TXT record matches the DigiCert provided random value.

400

invalid_payment_method

The specified payment method is not enabled. To use the specified payment request, you must enable it in your account.

400

invalid_value:<param.name>

The specified parameter contains an invalid value. Refer to the endpoint's Response parameters table for valid input values.

400

invalid_value:validity_years

The specified parameter contains an invalid value for the time span allowed.

This can occur when the number of years specified is not permitted because the span exceeds what the order allows (for example, more than three years for a code signing certificate), or what is set as the limit at the account level by an admin.

Additionally, this error may occur when the order validity is set with a custom_expiration_date and an admin for the account has already applied a limit to the allowed order validity period. When an admin applies this limit, the option to set a custom expiration date is disabled for the product using order_validity.days or order_validity.custom_expiration.date.

400

malformed_cname_target|variable

When using the CNAME Target (also known as CNAME Delegation) DCV method, DigiCert could not process the CNAME record because it contains a malformed target domain. Make sure the target domain on your CNAME record is constructed correctly and try again. For help, contact DigiCert Support.

400

missing_ca_cert_id

The certificate authority ID is required for this request. Specify the certificate authority to issue the certificate from and resend your request.

400

missing_dns_name_on_duplicate

The DNS name is missing from the request. DNS names cannot be removed on duplicate orders. Resend the request with the DNS name included.

400

missing_request_data

No body was sent with the request. Refer to the endpoint's documentation for request requirements.

400

missing_required_custom_field

The request body is missing a required custom field. To get a list of custom order field metadata for your account, see List custom fields.

400

no_private_ca_enabled

No private certificate authorities are enabled for the account.

400

not_allowed_to_change_ct_setting_per_order

The per certificate order feature has not been activated for your CertCentral account. An administrator must enable this feature.

400

note_contains_private_key

Never share private keys with any third party, including DigiCert. Remove the private key and try again.

400

order_not_eligible_for_duplicate

Duplicates are not allowed for the specified order.

400

order_not_eligible_for_renewal

Order not eligible for renewal.

Returned for SSL certificate order requests when the order to renew (renewal_of_order_id) is not within the renewal window. Wait until the order is within the renewal window and try again.

400

order_renewed_already

Order not eligible for renewal.

Returned for SSL certificate order requests when the order to renew (renewal_of_order_id) has already been renewed.

An order can only be renewed once. Submit a new certificate order request, or use the Order info API to get the order ID of the renewed order (was_renewed_by_order_id).

400

other_domain_on_wildcard

All SANs on a wildcard certificate must have the same common name. Either change the SANs to use the same common name or order a multi-domain certificate.

400

pending_account_merge_completion

DigiCert is processing a request to merge the account that sent the request with another CertCentral account. While the merge is in progress, the accounts being merged cannot:

  • Create new certificate orders

  • Create organizations

  • Add domains

To perform these operations, wait until the merge is complete. Submit a new request from the account that persists after the merge.

400

pending_reissue

A previous reissue request is still pending for the order. You must reject or approve and issue the pending request before a new reissue request can be placed.

400

product_name_limit_exceeded

You have exceeded the number of names allowed on this product.

400

product_not_allowed

This product is not allowed.

400

protected_domain

One or more domains listed on this certificate request are protected by the domain owner. Modify the domains and resubmit the request.

400

required_param:

The specified parameter is required. Refer to the endpoint's Response parameters table to identify required and optional parameters.

400

rfc5280_common_name_invalid

The submitted common name does not conform to industry standards.

400

rfc5280_common_name_too_long

Common name must be less than 64 characters in order to be compliant with industry standards.

400

rfc5280_org_unit_too_long

Organization units must be less than 64 characters in order to be compliant with industry standards.

400

rfc5280_org_name_too_long

Organization name total length (including Assumed Name for EV certificates) must be less than 64 characters in order to be compliant with industry standards.

400

rfc5280_address_field_too_long

Address fields must be less than 64 characters in order to be compliant with industry standards.

400

rfc5280_org_unit_invalid

The org unit field contains an invalid value according to industry standards.

400

rfc5280_org_invalid

One or more fields on the organization contains invalid values according to industry standards.

400

va_not_eligible_order

The request failed for one of the following reasons:

  • The certificate hasn’t been issued yet.

  • The certificate is pending, revoked, or expired.

  • The order is not available to your account.

400

va_not_eligible_product

The request failed because the product does not support vulnerability assessments.

For a list of products that support vulnerability assessments, see Vulnerability assessments – Supported products.

400

va_order_not_found

No data found for the submitted request. Make sure you are using the correct order ID, then try again.

400

va_order_already_enabled

Vulnerability assessments are already enabled for the order.

400

va_order_not_enabled

Vulnerability assessments are not enabled for the order. Make sure you are using the correct order ID and that vulnerability assessments are enabled, then try again.

400

va_domain_not_found

The domain in the request is not included on the specified order. Make sure you are using the correct domain and order ID, then try again.

400

va_email_recipient_not_found

No email recipient found on the order.

400

va_bad_request

The request is not formatted correctly. Make sure the filter parameters and URL query strings in your request are formatted correctly, then try again.

400

vmc_logo_unable_to_decode

Logo could not be decoded. Use one of these endpoints to make sure the logo meets formatting requirements for VMC, and then try again:

400

vmc_logo_size_exceeded|variable

Logo exceeds the maximum size allowed for VMC certificate orders. Resize the logo to be smaller than the size returned in the error message and try again.

400

need_vmc_logo

To add or modify trademark details, you must first upload a logo for the order. New VMC order requests can only include a trademark country code or registration number if they also include a logo. If you receive this error when submitting a new VMC order request, do one of the following:

400

cannot_modify_approved_logo

The logo is already validated and approved. You cannot change the trademark country code or registration number for an approved VMC logo.

400

order_not_pending

Requested operation can only be performed on orders with a pending status.

400

invalid_vmc_logo

Logo does not meet the formatting requirements for VMC certificates. Fix the formatting issues described in the error message and try again.

400

username_unavailable

The specified username is not available.