How to Fix ACME SSL Certificate Errors?

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...
Resolve Common ACME Errors

When you’re setting up or renewing SSL certificates with the ACME protocol, everything should be quick and automated. But let’s be honest… ACME errors can feel like hitting a wall at full speed.

And the worst part? Most of them look cryptic enough to make anyone think something is seriously broken.

This guide breaks down the most common ACME SSL errors in plain English and gives you step-by-step fixes you can apply immediately, whether you’re installing a new cert, automating renewals, or debugging failed domain validations.

What Is ACME?

ACME (Automatic Certificate Management Environment) is the protocol used by certificate authorities like Sectigo, Let’s Encrypt, ZeroSSL, and Buypass to automate issuing and renewing SSL certificates.

Reasons Behind ACME SSL Errors and Their Fixes

There are many reasons behind this error. Here we are going to discuss the top 12 reasons behind this error.

External Account Binding Missing or Invalid

If you see an error related to External Account Binding (EAB), your ACME client is basically saying. “Hey, I can’t prove you’re allowed to use this ACME server.” This happens when the ACME server requires EAB details, but your client didn’t send the right ones.

How to Fix It:

  • Check your HMAC key and Key ID: Copy/paste them carefully. Extra breaks or line breaks will break validation.
  • Be sure you have the right ACME directory URL: Confusion of staging and production.
  • Add the proper EAB flags. In the case of acme.sh, your flags will be of the form:
--eab-kid and --eab-hmac-key
  • Update your ACME client: Clients will tend to break here when they are older. EAB errors are normally corrected immediately as they are upgraded.

Account Does Not Exist

This error “urn:ietf:params:acme:error:accountDoesNotExist” means your ACME client is pointing to an account that the CA simply doesn’t know about.

Maybe you reinstalled the ACME client. Maybe you switched servers. Maybe you pointed a staging account at production. Either way, the CA has no idea who you are.

How to Fix It:

Re-register your ACME account using the correct EAB credentials.

Example (acme.sh):

acme.sh --register-account \
--server https://acme.your-ca.com/v2/DV \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--accountemail [email protected]

Confirm the ACME server URL: Make sure it matches the endpoint used in your certificate order.

Don’t reuse account files across servers: Unless you’re 100% sure they’re tied to the same CA account, avoid moving account.conf or private keys around.

Bad Nonce or Anti-Replay Error.

BadNonce error informs you that your request contained a stale or invalid nonce, a one-time token that ACME servers rely on to discourage replay attacks. This can sometimes be because of delays, clock drift, or proxies, making it slow.

How to Fix It:

  • Just retry: The clients of the ACME, such as acme.sh, will tend to automatically retry. Otherwise, restart the command.
  • Sync your server clock: Run the command:
timedatectl status
timedatectl set-ntp true
  • By-pass proxy servers or content distribution networks: Possible services such as Cloudflare can stall the requests to the extent of nullifying the nonce.

A Requested Identifier Has Not Been Delegated

This error usually appears as: “ urn:ietf:params:acme:error:rejectedIdentifier ”

It means that the ACME server can’t validate one of the domain names you provided. Reasons include:

  • The domain doesn’t exist in DNS
  • DNS isn’t pointing to your server
  • The domain isn’t authorised in your certificate order

How to Fix It:

  • Use the correct domain format:
    Correct: -d example.com   Wrong: -d http://example.com”
  • Check DNS resolution: “dig example.com +short”
  • Match the ACME order: Some CAs require all domains to be pre-approved.
  • Check for typos: “www.example.com ≠ example.com”

Unauthorised or Invalid Response

This one is extremely common. You’ll usually see:
“ urn:ietf:params:acme:error:unauthorized ”

The CA tried to verify the HTTP challenge file, but:

  • couldn’t reach your server,
  • got redirected,
  • hit HTTPS too early,
  • Or didn’t see the challenge at all.

How to Fix It:

  • Make sure port 80 is open (even if you force HTTPS).
  • Ensure challenge files are placed under: “/.well-known/acme-challenge/.”
  • Temporarily disable forced redirects.
  • Disable firewalls, proxies, or CDNs blocking access.
  • Check file permissions and ensure the challenge file is publicly viewable.

Token Not Found or File Not Reachable (404 or 403)

This happens when the CA tries to fetch: “ http://yourdomain.com/.well-known/acme-challenge/<token> ”

…and gets:

  • 404 (Not Found)
  • 403 (Forbidden)

How to Fix It:

  • Confirm the ACME client writes the file to the correct webroot.
  • Visit the challenge URL in your browser you should see the token.
  • Ensure correct permissions and file ownership.
  • Remove or adjust .htaccess, firewall rules, or security plugins blocking access.
  • Check for SELinux/AppArmor restrictions on some systems.

CAA Record Forbids Issuance

CAA records tell the world which CAs are allowed to issue certificates for your domain. If you see: “urn:ietf:params:acme:error:caa”

Your DNS says, “This CA is not allowed.”

How to Fix It:

  • Check your DNS: dig CAA yourdomain.com
  • Ensure your CA is listed, e.g.: 0 issue “sectigo.com” and 0 issue “digicert.com”
  • For wildcard certs, also add: 0 issuewild “sectigo.com”

Wait for DNS propagation and retry.

TXT Record Not Found (Wildcard Certificates)

Wildcard domains (like *.example.com) require DNS-01 validation. No exceptions. That means ACME expects a TXT record at: _acme-challenge.example.com

If it’s missing or not propagated yet, you’ll get an error.

How to Fix It:

  • Add a TXT record:
Name: _acme-challenge.example.com
Value: (token provided by ACME client)
  • Wait 1–10 minutes (some DNS providers take longer).
  • Verify propagation: “ dig TXT _acme-challenge.example.com ”
  • Retry the validation.

Also Read: ACME Challenges for Domain Validation: Which is Best?

Too Many Requests or Rate Limited

If you see: “ urn:ietf:params:acme:error:rateLimited ” or a 429 Too Many Requests, your CA is throttling you because your client sent too many requests too fast.

How to Fix It:

  • Wait until the rate limit resets (varies by CA).
  • Fix the root cause before retrying, especially DNS-01 retries.
  • Avoid spamming validation requests without checking TXT propagation first.
  • Check your CA’s documentation for your exact rate-limit window.

Could Not Connect to ACME Server

If your server can’t reach the ACME endpoint, you’ll see connection errors:

  • Timeout
  • Connection refused
  • Could not connect

How to Fix It:

  • Allow outbound HTTPS on port 443.
  • Fix the firewall or outbound rules.
  • Verify DNS resolver settings.
  • Test manually: curl https://acme.example.com
  • Restart your ACME client once connectivity is restored.
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.