ACME client sending "dns:www.imovie.party" as domain name - error creating new cert

Hello,
I’m using DNS authentication to apply for a certificate for my domain name: www.imovie.party
But there was an error log
ValueError: Error signing certificate: 400 b’{\n “type”: “urn:acme:error:malformed”,\n “detail”: “Error creating new cert :: policy forbids issuing for: \“dns:www.imovie.party\””,\n “status”: 400\n}'
I would like to ask if I can modify the policy so that I can ask for the certificate for www.imovie.party
Thank you very much

@cpu can look into this issue for you.

Thank you, but how can I contact him to help me change it?

He should notice that he was mentioned here. However, there might be some delay because this is the end of a holiday weekend in Canada and the beginning of one in the U.S.

Thank you. Then I’ll wait
In addition, I have another domain name: axdy.site, which appears the same log
Can you query the platform policy? Know the strategy and avoid the situation again

Hi @cbreesem,

There's actually nothing in our policies that are preventing issuing for this domain. The problem is that your ACME client is trying to issue a certificate for "dns:www.imovie.party" - note the dns: prefix on there! That's not a valid domain name. I'm guessing that your client has copied the domain from an X509v3 certificate's SAN field and included the "dns" SAN type.

If you provide more information about which ACME client you're using someone will likely be able to help you determine how to send only "www.imovie.party" and not "dns:www.imovie.party", which will resolve your problem. (I also updated the topic title to reflect the true cause of the error).

Hope that helps clear things up!

1 Like

Thank you, because I’ve been away on business these days, so I didn’t see your reply. I see what you mean. I’ll check my client again, because that’s what I wrote with Python.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.