Common ACME errors and troubleshooting
While issuing, installing, or renewing SSL certificates through SeFlowSSL CaaS (Sectigo ACME), you may encounter errors returned either by the ACME client or by the certificate authority.
This guide covers the most common issues and their recommended solutions.
1. A requested identifier has not been delegated: domain.tld
This error usually indicates that you are attempting to issue a certificate for a domain that is not included in the ACME order associated with the credentials being used.
Check the following:
- Use only the domain name and not the full URL.
Correct:
-d domain.tldIncorrect:
-d http://domain.tld
-d https://domain.tld- Verify that the requested domain is actually included in the ACME order associated with the credentials being used.
Do not include domains, subdomains, or hostnames that are not explicitly authorized in the order.
For example:
- domain.tld
- www.domain.tld
are typically valid if included in the order.
However:
- mail.domain.tld
- vpn.domain.tld
- server.domain.tld
will generate an error if they are not explicitly included in the certificate request.
If the error persists after completing the checks above, contact SeFlow support and include the command used and the affected domain.
2. Certbot issues when using multiple EAB credentials
By default, Certbot uses a single ACME account for each certificate authority.
If multiple ACME orders are configured on the same server using different EAB credentials, Certbot may attempt to reuse previously registered credentials, resulting in authentication or authorization errors.
Common symptoms include:
- Previously working ACME orders stop issuing certificates.
- Authorization errors for valid domains.
- The wrong ACME account is being used.
- Certificates are issued using the wrong order.
The recommended solution is to use a single EAB account per server.
If additional certificates are required on the same server, it is generally better to add new domains to the existing ACME order instead of creating multiple separate orders with different EAB credentials.
When using Certbot, maintaining a single ACME registration per server significantly reduces the risk of account and EAB credential conflicts.
When to contact support
You should open a support request if:
- ACME validation continues to fail without an obvious cause.
- The domain is correctly configured but certificate issuance is rejected.
- EAB credentials appear correct but the ACME client reports authentication errors.
- The certificate is not renewing automatically.
- You encounter an error not covered by this guide.
When contacting support, always include:
- The affected domain.
- The ACME client being used.
- The exact command executed.
- The complete error message.
- Relevant ACME client logs.
