A test authorization for your domain to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued. Error creating new order :: Policy forbids issuing for name

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://unlimitedglam.com/

I ran this command:

It produced this output:

My web server is (include version): nginx/1.19.5

The operating system my web server runs on is (include version): Linux 4.14.146-225.ELK.el6.x86_64 x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): No

Welcome to the Let's Encrypt Community

@lestaff

What say you?

Hi, @seema,

Could you please answer the rest of the prompts in the template, or provide more detail?

"Policy forbids issuing for name" is not the exact text of any error that Let's Encrypt will give you directly. This might be some client program or service's own error message, though. We'll need to know what program or service that is, in order to start figuring out the cause of your problem.

Hello James,

Thank you for getting back to my concern in short span.

I am using SSL Zen wordpress plugin to generate SSL for the above mentioned site.
I tried using the HTTP-01 method to verify the domain ownership, I am able to download the verification file and place it in .well-known/acme-challenge. But when I try to verify it ,I am getting the below error message:
" A test authorization for your domain to the Let’s Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued. Error creating new order :: Policy forbids issuing for name"

The folder path where I have hosted my site is: /home4/unlimju6/public_html

I can provide a little bit of illumination on this.

I believe that WordPress plugin does an automated test via Let's Debug, which in turn submits an order to the Let's Encrypt staging server.

I'm pretty sure "Policy forbids issuing for name identifier" comes directly from Boulder (or at least it used to!).

What's confusing here though is that unlimitedglam.com doesn't produce this error. Are you sure that's the domain name the plugin is complaining about?

(Edit

Well, this is doubly confusing. I can find some errors in the Let's Debug database along the lines of:

Error creating new order :: Cannot issue for "www.apple.com": Policy forbids issuing for name

but not since ~2019 or so ...

)

Hello _az,

Yes. the domain name is : http://unlimitedglam.com/

But are you 100% sure there is no "example.com" hiding in there somewhere maybe?

Are there any detailed logs that might show more?

How do I check that? I am not an expert at this.

Also, I can see that letsdebug.net is throwing this error :
[Let's Debug]

May be this can help!

Well, what I doubt is that the server wordpress shows the client is using is Apache but while querying on letsdebug.net , it says the server is nginx, which is strange. Can this be the reason?

Having both (Apache and nginx) would indicate an iussue.
While trying to confirm your issue, I ran into yet a bigger issue:

curl -Iki http://unlimitedglam.com/
curl: (6) Could not resolve host: unlimitedglam.com

Something isn't right with the DNS systems responsible for your domain:

unlimitedglam.com       nameserver = ns1.bluehost.com #sometimes does not show on list
unlimitedglam.com       nameserver = ns2.bluehost.com #sometimes does not show on list
unlimitedglam.com       nameserver = ns1.whois.com    #sometimes does not show on list
unlimitedglam.com       nameserver = ns2.whois.com    #sometimes does not show on list
unlimitedglam.com       nameserver = ns3.whois.com
unlimitedglam.com       nameserver = ns4.whois.com

Name:    ns1.bluehost.com
Address: 162.159.24.80

Name:    ns2.bluehost.com
Address: 162.159.25.175

Name:      ns1.whois.com
Addresses: 162.251.82.122
           162.251.82.123
           162.251.82.250
           162.251.82.251

Name:      ns2.whois.com
Addresses: 162.251.82.120
           162.251.82.121
           162.251.82.248
           162.251.82.249

Name:      ns3.whois.com
Addresses: 162.251.82.118
           162.251.82.119
           162.251.82.246
           162.251.82.247

Name:      ns4.whois.com
Addresses: 162.251.82.124
           162.251.82.125
           162.251.82.252
           162.251.82.253

Having 18 IPs is delayed the DNS verification but here it is:

DNS.IP.address SOArecord# IPreturned
162.159.24.80  2021012800 162.241.224.113
162.159.25.175 2021012800 162.241.224.113
162.251.82.118 2021012701 none
162.251.82.119 2021012701 none
162.251.82.120 2021012701 none
162.251.82.121 2021012701 none
162.251.82.122 2021012701 none
162.251.82.123 2021012701 none
162.251.82.124 2021012701 none
162.251.82.125 2021012701 none
162.251.82.246 2021012701 none
162.251.82.247 2021012701 none
162.251.82.248 2021012701 none
162.251.82.249 2021012701 none
162.251.82.250 2021012701 none
162.251.82.251 2021012701 none
162.251.82.252 2021012701 none
162.251.82.253 2021012701 none

Only two of those authoritative servers return an IP for your domain name.
So naturally if you ask the Internet, some global DNS providers will return an IP some of the times [with fresh 4 hour TTLs] and nothing most of the time [16/18 return nothing]:

nslookup -q=a unlimitedglam.com 1.1.1.1
Name:    unlimitedglam.com
Address: 162.241.224.113

nslookup -q=a unlimitedglam.com 9.9.9.9
Name:    unlimitedglam.com
Address: 162.241.224.113

And nothing most of the time:

nslookup -q=a unlimitedglam.com 4.2.2.2
Name:    unlimitedglam.com

nslookup -q=a unlimitedglam.com 8.8.8.8
Name:    unlimitedglam.com

nslookup -q=a unlimitedglam.com 208.67.222.222
Name:    unlimitedglam.com

So I would begin with fixing this DNS problem.

Update:
The only servers that show an IP are the ones from bluehost and they don't even show on the list most of the time [LE would likely see them though].
The ones from whois.com [your registrar?] never return an IP and would cause LE to fail your request when checked.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.