Digicert ACME-URL and Authorisation

techsupport · January 24, 2025, 3:34pm

Hello Community
I am trying to get a wildcard Certificate from Digicert. I have enabled the account for automation and created a ACME-URL. As i understand from the Digicert docs all Certs that are requested using the ACME-URL and KEY / KEYID are pre authorized since i have authorized my organisation already within the Digicert Panel.

When I “TEST” the Automation all is good. When I “Get Certificate” it tells me to manually create the acme DNS Record (since i selected manual).Sometimes I have to get it 3 times until it fetches the certificate. Notably without beeing able to verify.

First time successful “Request certificate”

2025-01-24 16:38:38.613 +01:00 [INF] ---- Beginning Request [*.mydomain.com] ----
2025-01-24 16:38:38.613 +01:00 [INF] Renewal Reason: Certificate has not yet been successfully requested, so a renewal attempt is required.
2025-01-24 16:38:38.613 +01:00 [INF] Certify/6.1.2.0 (Windows; Microsoft Windows NT 10.0.20348.0)
2025-01-24 16:38:38.613 +01:00 [INF] Beginning certificate request process: *.mydomain.com using ACME provider Anvil
2025-01-24 16:38:38.613 +01:00 [INF] The selected Certificate Authority is: Digicert
2025-01-24 16:38:38.613 +01:00 [INF] Requested identifiers to include on certificate: *.mydomain.com
2025-01-24 16:38:38.662 +01:00 [INF] [Progress] All Tests Completed OK
2025-01-24 16:38:42.083 +01:00 [INF] Created ACME Order: https://one.digicert.com/mpki/api/v1/acme/v2/order/redacted
2025-01-24 16:39:07.444 +01:00 [INF] Got http-01 challenge https://one.digicert.com/mpki/api/v1/acme/v2/challenge/redacted
2025-01-24 16:39:07.747 +01:00 [INF] Got dns-01 challenge https://one.digicert.com/mpki/api/v1/acme/v2/challenge/redacted
2025-01-24 16:39:08.570 +01:00 [INF] Authorization already valid for *.mydomain.com
2025-01-24 16:39:08.570 +01:00 [INF] Resuming certificate request using CA: Digicert
2025-01-24 16:39:08.570 +01:00 [INF] [Progress] Requesting certificate via Certificate Authority
2025-01-24 16:39:21.126 +01:00 [INF] [Progress] Completed certificate request.
2025-01-24 16:39:22.234 +01:00 [INF] [Progress] New certificate received and stored OK.

After i click “Request certificate” again

2025-01-24 16:41:31.414 +01:00 [INF] ---- Beginning Request [*.mydomain.com] ----
2025-01-24 16:41:31.414 +01:00 [INF] Certify/6.1.2.0 (Windows; Microsoft Windows NT 10.0.20348.0)
2025-01-24 16:41:31.414 +01:00 [INF] Beginning certificate request process: *.mydomain.com using ACME provider Anvil
2025-01-24 16:41:31.414 +01:00 [INF] The selected Certificate Authority is: Digicert
2025-01-24 16:41:31.414 +01:00 [INF] Requested identifiers to include on certificate: *.mydomain.com
2025-01-24 16:41:32.891 +01:00 [WRN] Fail to load resource from ‘https://one.digicert.com/mpki/api/v1/acme/v2/new-order’.
urn:ietf:params:acme:error:replaceOrderMalformed: Identifiers in this order do not match any names in the certificate being replaced
2025-01-24 16:41:32.891 +01:00 [WRN] Failed to begin certificate order. Skipped ARI Replace as a precaution: urn:ietf:params:acme:error:replaceOrderMalformed :: Identifiers i

Can i completely disable the Autorisation Process for a specific Certificate?
Kind regards Mike

webprofusion · January 25, 2025, 12:44am

Hi, the CA is using ARI and the app is trying to replace the previous cert but the CA doesn’t like the new/updated domains/identifiers on the cert.

If you try a few times it will eventually skip ARI after the first few failures. You can also clear previous cached status using Certificate > Advanced > Actions > Reset Failure Status, Save, then click Request Certificate again.

techsupport · January 27, 2025, 8:37am

Hello weboffusion

thank you for yout fast answer.

When i automate the fetching of the certificate. WIll i run into this issue or is it because i requested it twice in a row?

Otherwise the chached status clearing needs to be somehow automated too.

Kind regards
Mike

webprofusion · January 28, 2025, 5:23am

Hi Mike,

If your certificate is now configured to validate domain control automatically (e.g. using a DNS API or using pre-validated domains with your CA) then the renewal will be entirely automatic. You should however keep the software up to date by checking for a new version at least every 6 months, as CAs do change their services quite regularly.

If the certificate repeatedly encounters an error during the attempted renewal our API will (by default) send an email to the address listed against your ACME CA account under Settings > Certificate Authorities warning you that the renewal attempt is failing.

Licensed customers can also use our dashboard feature to monitor renewals across many servers, via https://dash.certifytheweb.com