Troubleshooting for ACME

Overview

This section helps you troubleshoot the common problems that you might encounter when using ACME functionalities like setting addition, checking communication, enrollment, and revocation.

Supported Web Browsers

Browser Version Notes
Firefox Till latest (Version 84.0.4147.135) NA
Chrome Till latest (Version 80.0) NA
IE Limited support in 9, Full support from 10+ No support for IE9 post-AppViewX Version 11.0
Safari

Till latest (Windows - Version 5.1.7,

macOS - Version 13.1.2)

 From AppViewX Version 11.1
Opera Till latest (Version 70) From AppViewX Version 11.1

Supported Devices

Device OS Resolution
Desktop Windows 1024 X 768 onwards, 1366x768, 1920x1080, Higher
Desktop Linux 1024 X 768 onwards, 1366x768, 1920x1080, Higher
Desktop Mac 1024 X 768 onwards, 1366x768, 1920x1080, Higher
iPad iOS 1024 X 768

Supported ACME Client

  • Certbot

  • Cert manager

Issues in ACME setting addition and check the settings

Issues in ACME Setting Addition

  1. Log in to AppViewX application with valid credentials.
  2. From the left pane, expand the menu and click CERT+.
    The Server Certificate page is displayed.
  3. From the left pane, expand Administration, select Auto Enrollment.
  4. Click ACME.
    The Auto Enrollment ACME page is displayed.
  5. Click Add.
  6. After settings are added, click Check to see the validity.

Error Messages

Error Message Possible Cause Possible Solution
Agent name already added. Please enter a different name.. An ACME setting with the same name already exists in ACME Page. Check the ACME Setting name, it should be unique.
  1. This field should not be null or empty
  2. Mandatory Field(s) - <Field name> is/are empty
 Some of the mandatory fields might be missing or might be invalid. Add all the valid information in the mandatory section.
ACME setting is invalid - Agent ip is not reachable The ACME agent IP and port provided might not be accessible from the AppViewX node. Please check the IP port provided so that it can be pingable from the AppViewX node.
ACME setting is invalid - Policy is not associated to the provided group The policy selected might be associated with some other group that is not selected. Please check whether the selected policy and group are associated with one another.

Issues in Auto Enrolling Certificate via ACME

Note: From the client machine hit the auto-enroll call using AppViewX ACME server URL which is displayed on the ACME setting page.
Error Message Possible Cause Possible Solution
No agent settings found for the provided agent ip address

(OR)

Agent settings is not found

 The provided agent IP or agent name is not found in the ACME settings. Check for the agent IP and agent name in the client machine.
Unable to perform ACME account creation/updation operation ACME is already present or the account is not proper in the client machine.
  1. Check whether the account is proper in the client machine.
  2. Delete the acme accounts in the client machine and retry.
Unable to perform ACME challenge creation operation Challenge verification failed before enrolling the certificate.
  1. Check for the option selected in the ACME setting if it's HTTP or DNS.
  2. Check for the reachability of URL for HTTP challenge verification.
HTTP authentication failed due to invalid parameters provided. The HTTP authentication parameters provided must be invalid
  1. Check for passwords in BASIC authentication.
  2. Check for the nonce and other parameters in DIGACME parameters.
Unable to perform ACME order finalize operation This phase is used to obtain the CSR and submit it.
  1. Check for the input CSR in the request.
  2. Check whether the CSR submission is successful in AppViewX.
Unable to obtain the enrolled certificate The certificate might not be present for the provided transaction id. Check if the certificate is enrolled or not in AppViewX inventory.
Unable to establish connection with ACME server. There might be an issue with reaching the AppViewX ACME agent IP from the client. Check whether the ACME agent IP is reachable from the client machine.

Check whether the ACME agent IP is open and can be accessible.
Group policy does not have the given hash function The requACMEed hash function in the CSR parameters may not be available in the selected policy.
  1. Navigate to the policy page.
  2. Select the CA used in the ACME setting.
  3. In the hash function field include the requACMEed and missing hash functions.
  4. Save the CA details and update the policy.
Unable to submit the CSR request to certificate authority Failure due to specific CA functionality. Check in the logs and failed Work order for the reason of submission failure.
Unable to submit the CSR request to certificate authority - For MSCA There might be an error in work order log - “Denied due to policy module Check for the bit length in the CSR parameters, if it's lesser than or equal to 1024 then increase that in the CSR.
CSR parameters already exists There might be another CSR already present in the inventory for which certificates would not have been issued.
  1. Delete the previous CSR present in inventory and try enrolling.
  2. Connect database and update the entry as below:

    "db.cert_metadata.update({"_id" : "DO_CSR_PARAMS_UNIQUENESS_CHECK"},{$set:{"constant":"no"}})"

Note: This would allow multiple CSR’s with the same parameters in the certificate inventory.