Certificates Services Common Errors and Solutions

The following errors may be produced by the certificate services UI.  This document provides a brief explanation for the error and possible solutions.  This list is not exhaustive–if the error isn't on this list, please contact iam-support@uw.edu with the error text.  

You do not have permission: Invalid wildcard

A wildcard can only be at the beginning of a domain name.  e.g. *.pottery.uw.edu is valid but clay.*.uw.edu is not. 

Solution

reformat using a valid wildcard

You do not have permission:  You are not an owner of <domain>

Your netid isn't authorized to request certificates for this domain.  This can have several causes:

• Your domain doesn't exist, or has a typo in it.  (While this message is technically correct for this situation, we admit it isn't the most helpful).  
• The domain's DNS is controlled by UW, but your NetID isn't authorized to administer it.  This is almost always the case for subdomains of uw.edu and washington.edu.  
• The domain's DNS isn't controlled by UW.  This is more likely for privately registered names like my-research-lab.com.  

Solution

• Use the "Verify DNS ownership" tool linked at the top of the Certificate Services page to verify you are authorized to administer this domain.  If you aren't authorized and aren't sure how to proceed, send email to iam-support@uw.edu.  IAM specialists can look up the domain and recommend solutions.  
• Check for typos in your CSR–transposing various letters in "washington" is by far the most common cause of this error (other than not actually being authorized for the domain).  If it's not a typo, send email to iam-support@uw.edu.  IAM specialists can look up the domain and recommend solutions.  

You do not have permission:  InCommon says no permission 

This non-uw domain hasn't been validated with InCommon. 

Solution

This domain needs to be approved before certificates can be issued for it.  See Request a New Domain for InCommon CA Certificates

Could not verify DNS ownership:  CN or altName not valid

The CN or at least one altName didn't parse as a valid DNS name.  

Solution

Check for typos in your CSR.  Contact iam-support@uw.edu (include a copy of your CSR) if the error persists.  

The CA reports exception:  IO error to CA

This usually means the InCommon/Comodo API is unavailable.  

Solution

• Check InCommon/Comodo status page at:  https://sectigo.status.io/  (Note "Comodo" re-branded to "Sectigo" in November 2018)
• Outages are typically brief.  Try your request again in an hour, and contact iam-support@uw.edu if the error persists.  

invalid CSR problem parsing cert: java.lang.IllegalArgumentException: badly encoded request

This means there was a problem parsing the CSR.  The most common cause of this error is pasting in DNS names or other text instead of a base64 encoded public key plus metadata.  A CSR has the following format:

----BEGIN CERTIFICATE REQUEST----- 
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
-----END CERTIFICATE REQUEST-----