3.2 ACME Failures
Issuance failures typically occur in two stages: Preflight Checks (DNS configuration issues) or CA Validation (the CA rejects the request).
Preflight Checks
Before requesting validation from the CA, CertKit verifies that the required DNS records are published and resolvable. Each SAN is assigned one of the following statuses:
| Status | Meaning |
|---|---|
Ok |
Record is correct and resolvable. |
CnameMissing / DnsPersistTxtRecordMissing |
The required record was not found. |
CnameMisconfigured / DnsPersistTxtRecordMisconfigured |
The record exists but contains an incorrect value. |
ConflictingTxtRecords |
Multiple TXT records found. Letβs Encrypt will reject this configuration. |
Any status other than Ok must be resolved before issuance can proceed.
CA Validation Failures
If preflight checks pass but the CA rejects issuance, the ACME error details are displayed in the setup panel.
- Automated Retries: Retries are throttled to once every 24 hours.
- Manual Retries: The Retry Now button is limited to 3 failures per 48 hours to avoid hitting CA rate limits.
- Issuance Paused: After repeated failures, CertKit will pause issuance. Once the underlying issue is fixed, use Restart Issuance to resume.