The following errors may be produced by the certificate services UI. This document provides a brief explanation for the error and possible solutions. This list is not exhaustive–if the error isn't on this list, please contact firstname.lastname@example.org with the error text.
You do not have permission: Invalid wildcard
A wildcard can only be at the beginning of a domain name. e.g. *.pottery.uw.edu is valid but clay.*.uw.edu is not.
reformat using a valid wildcard
You do not have permission: You are not an owner of <domain>
Your netid isn't authorized to request certificates for this domain. This can have several causes:
- Your domain doesn't exist, or has a typo in it. (While this message is technically correct for this situation, we admit it isn't the most helpful).
- The domain's DNS is controlled by UW, but your NetID isn't authorized to administer it. This is almost always the case for subdomains of uw.edu and washington.edu.
- The domain's DNS isn't controlled by UW. This is more likely for privately registered names like my-research-lab.com.
- Use the "Verify DNS ownership" tool linked at the top of the Certificate Services page to verify you are authorized to administer this domain. If you aren't authorized and aren't sure how to proceed, send email to email@example.com. IAM specialists can look up the domain and recommend solutions.
- Check for typos in your CSR–transposing various letters in "washington" is by far the most common cause of this error (other than not actually being authorized for the domain). If it's not a typo, send email to firstname.lastname@example.org. IAM specialists can look up the domain and recommend solutions.
You do not have permission: InCommon says no permission
This non-uw domain hasn't been validated with InCommon.
This domain needs to be approved before certificates can be issued for it. See Request a New Domain for InCommon CA Certificates
Could not verify DNS ownership: CN or altName not valid
The CN or at least one altName didn't parse as a valid DNS name.
Check for typos in your CSR. Contact email@example.com (include a copy of your CSR) if the error persists.
The CA reports exception: IO error to CA
This usually means the InCommon/Comodo API is unavailable.
- Check InCommon/Comodo status page at: https://sectigo.status.io/ (Note "Comodo" re-branded to "Sectigo" in November 2018)
- Outages are typically brief. Try your request again in an hour, and contact firstname.lastname@example.org if the error persists.
invalid CSR problem parsing cert: java.lang.IllegalArgumentException: badly encoded request
This means there was a problem parsing the CSR. The most common cause of this error is pasting in DNS names or other text instead of a base64 encoded public key plus metadata. A CSR has the following format:
----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----