AST Certificate Authority Error Codes (SubSystem 510)
Certificate Request (Error Codes 10-19)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 10 | 403 | InvalidCsrSignature | The provided CSR's signature wasn't valid |
| 510 | 11 | 400 | UnsupportedKeyType | The provided CSR's key algorithm isn't supported |
| 510 | 12 | 400 | BadKey | The provided CSR's key doesn't meet requirements |
| 510 | 13 | 400 | UnsupportedAlgorithm | An algorithm (signature or digest) was unsupported |
| 510 | 14 | 403 | BadProfile | The requested certificate profile isn't allowed on the endpoint |
| 510 | 15 | 500 | UnsupportedProfile | The requested certificate profile isn't supported by the Issuer CA |
Certificate Retrieval (Error Codes 20-29)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 20 | 409 | NotYetSigned | The certificate was not yet signed |
| 510 | 21 | 410 | AlreadyDelivered | The certificate was already delivered and was evicted |
| 510 | 22 | 410 | IssuanceFailed | The certificate couldn't be issued successfully |
SDK Config Creation (Error Codes 30-39)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 30 | 412 | SignerNotYetIssued | The signer certificate wasn't issued yet |
| 510 | 31 | 500 | SdkConfigSignError | There was an error signing the SDK config |
Signer Management (Error Codes 40-49)
Signer Creation and Use (Error Codes 40-44)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 40 | 409 | SignerAlreadyExists | A signer for the tenant already exists |
| 510 | 41 | 409 | SignerRevoked | The requested signer was revoked and may not be used anymore |
| 510 | 42 | 409 | SignerCreationConflict | A conflicting signer was created by a concurrent operation. The caller may check the state of the signer via one of the GET APIs and retry if necessary. |
Signer Deletion (Error Codes 45-49)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 45 | 409 | SignerAlreadyInUse | The signer was already used to issue a certificate and can't be deleted anymore |
Public Key Provider (Error Codes 50-59)
Public Key Registration (Error Codes 50-54)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 50 | 403 | PasswordAuthMissing | The access token's AMR did not imply that the user has a password |
| 510 | 51 | 409 | KeyAlreadyExists | A key with the same thumbprint is already registered |
Public Key Retrieval (Error Codes 55-59)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 55 | 410 | KeyExpired | The key with the given kid and tenant expired and can no longer be used |
Session Encryption (Error Codes 60-69)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 60 | 500 | EncryptionError | An unexpected error occurred when encrypting a response |
| 510 | 61 | 400 | DecryptionError | An error occurred when decrypting a request |
Bad Request Codes (Error Codes 400 and 400x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 400 | 400 | BadRequest | An unspecified Bad Request error. Look for details in the message. |
| 510 | 4001 | 400 | MissingField | A required field was missing in the request |
| 510 | 4002 | 400 | MalformedField | A field in the request had a wrong format |
| 510 | 4003 | 400 | BadPagination | Invalid pagination parameters |
| 510 | 4004 | 400 | BadFilter | Invalid filter string |
| 510 | 4005 | 400 | MalformedBody | The request body was malformed and couldn't be parsed |
Unauthorized Codes (Error Codes 401 and 401x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 401 | 401 | Unauthorized | There was a problem authorizing the request, see below for details |
| 510 | 4011 | 401 | TlsClientAuthMissing | The mTLS client certificate header was missing or didn't contain a certificate |
Details about 510-401 Unauthorized
This error code includes cases like
- The header was missing
- The token could not be decoded
- The token is from a different realm than the tenant in the request path
- The token was expired (
exp), not yet valid (nbf) or issued in the future (iat) - The token's issuer (
iss) did not match the expected value discovered from the IdP- This is most likely a realm configuration problem in Keycloak, such as not configuring the "Frontend URL" setting
in the realm, which is required in a typical setup
- Failing to configure the Frontend URL will result in a mismatch between the issuer URL that was discovered by the service inside the cluster, and the issuer in the JWT issued for a client outside the cluster
- After changing the realm configuration, it is necessary to restart the service in order for it to rediscover the realm configuration
- This is most likely a realm configuration problem in Keycloak, such as not configuring the "Frontend URL" setting
in the realm, which is required in a typical setup
- The token's audience (
aud) didn't include all required values specified in the service config (default: none) - The token's signature did not match the public key discovered from the IdP
Forbidden / Bad Token Codes (Error Codes 403 and 403x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 403 | 403 | Forbidden | The user has no permission to access the resource |
| 510 | 4031 | 403 | MissingUserId | The user ID is missing in the access token |
| 510 | 4032 | 403 | MissingUserName | The user name is missing in the access Token |
| 510 | 4033 | 403 | MissingClientId | The AST client ID is missing in the access token |
| 510 | 4036 | 403 | SessionKeyNotFound | The session key with the given ID was not found |
| 510 | 4037 | 403 | SessionKeyDecryptionFailed | The session key could not be decrypted |
Not Found Codes (Error Codes 404 and 404x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 4041 | 404 | SignerNotFound | A signer with the given ID does not exist |
| 510 | 4042 | 404 | CertificateNotFound | A certificate with the given ID does not exist |
| 510 | 4043 | 404 | SignerNotFoundForTenant | The requested signer for the given tenant does not exist |
| 510 | 4044 | 404 | IssuerSerialNotFound | The combination of issuer and serial was not found |
| 510 | 4045 | 404 | KeyNotFound | The key with the given kid and tenant wasn't found |
OIDC Errors (Error Codes 100x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 1000 | 500 | GeneralError | An unexpected error occurred while authenticating the request. See the log for details. |
| 510 | 1001 | 500 | IssuerNotConfigured | The OIDC issuer is not configured. This is probably due to misconfiguration of api.security.openidConnect.baseUrl. See the log for details. |
| 510 | 1002 | 404 | RealmDoesNotExist | The realm corresponding to the tenant ID in the request does not exist in the IDP. See the log for details. |
| 510 | 1003 | 503 | IdpUnavailable | The IDP could not be reached for OIDC discovery. This may be a temporary error or due to misconfiguration. See the log for details. |
| 510 | 1004 | 502 | BadResponse | The IDP response could not be parsed. See the log for details. |
| 510 | 1005 | 502 | UnexpectedError | The IDP returned an unexpected error response during OIDC Discovery. See the log for details. |
| 510 | 1006 | 500 | IssuerMismatch | The issuer URL returned from OIDC Discovery doesn't match the expected one generated from the configuration. This is probably due to realm misconfiguration in the IDP. See the log for details. |
| 510 | 1007 | 500 | UnsupportedFlow | The OIDC configuration returned from the IDP specified an unsupported flow. This probably due to realm misconfiguration in the IDP. See the log for details. |
General Error Codes (Error Codes 500, 503 and 500x)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 500 | 500 | InternalError | An unexpected error occurred |
| 510 | 5001 | 500 | DbError | An unexpected error occurred during a database operation |
| 510 | 5002 | 500 | KafkaError | An unexpected error occurred during a Kafka operation |
| 510 | 5003 | 500 | SignerError | An unexpected error occurred during a certificate issuance operation |
| 510 | 503 | 503 | ServiceUnavailable | The service's availability was disrupted, look for details in the message. |
Configuration Errors (Error Codes 500xx)
| Subsystem | Error Code | HTTP Code | Name | Details |
|---|---|---|---|---|
| 510 | 50010 | 500 | UnknownTopicRoutingKey | An outbox item with an unknown topic routing key was encountered |
| 510 | 50020 | 500 | TrustStoreDoesNotExist | The trust store file does not exist |
| 510 | 50021 | 500 | TrustStoreRequired | A trust store was required for the configured SSL mode, but none was given |