FAQ & troubleshooting

If your question isn't here, check the page for the specific area - Agents, Domains & DNS-01, Certificate authorities, or Deploy targets.

A job failed with a DNS-01 zone lookup error - what do I check?

Confirm the DNS provider credentials on the domain (Manage > Domains) actually have access to that exact zone, and that the certificate's domain selection matches the hostnames in its common name and SANs. A mismatch between the selected domain and the certificate's actual hostnames is the most common cause.

My agent shows as disconnected - what now?

Check that the service is actually running on the host (systemctl status on Linux, Services on Windows) and that it can reach your aethercert API URL outbound over HTTPS. The agent only ever makes outbound connections, so no inbound firewall rule should be required.

Can I move a certificate from one agent to another?

Delete it and create a new certificate targeting the other agent - certificates aren't re-targeted in place. If several servers need the same certificate, use an agent group instead of moving it repeatedly.

Which key type should I use?

EC-256 is the default and works everywhere modern. Use RSA-2048 or RSA-4096 only when a target explicitly requires RSA (some legacy Windows/appliance integrations do) - RSA keys are larger and slower to generate for no security benefit over EC on current software.

Does deleting an agent group delete its certificates?

No - a group can't be deleted while any certificate still targets it. Reassign or delete those certificates first, then the group.

Why does the exportable private key option only appear for Windows targets?

Linux and NetScaler deploy targets write the raw private key file directly, so exportability is inherent. The option only matters where the key is imported into a Windows certificate store, whose default behavior is to disallow re-exporting it.