ACME server refuses to issue a certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: avtera.cloudapp.net

I ran this command:
lego --tls --email="myemail@mydomain.org" --domains=“avtera.cloudapp.net” --path=“C:\Bitnami\redmine-4.1.1-1\letsencrypt” run

It produced this output:
2020/05/02 12:47:16 [INFO] [avtera.cloudapp.net] acme: Obtaining bundled SAN cer
tificate
2020/05/02 12:47:16 Could not obtain certificates:
acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/ne
w-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new o
rder :: Cannot issue for “avtera.cloudapp.net”:The ACME server refuses to issue
a certificate for this domain name, because it is forbidden by policy, url:

My web server is (include version): Apache 2.4.43

The operating system my web server runs on is (include version): Windows server 2012 R2

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Lego 3.5.0

It seems that this domain is NOT allowed to have certs.

The domain is owned by Microsoft.
All (non-Microsoft issued) certs on that domain expired 4 years ago.
It seems that MS doesn’t want any other CA to issue certs for it…
You may need to speak with them about that or to have them issue you another domain name.
[one that is allowed to have certs issued to it]

Here is an example of one related name that was issued recently:
[by Microsoft CA]
https://crt.sh/?id=2636398386
https://www.ssllabs.com/ssltest/analyze.html?d=xtestportal.cloudapp.net

I would guess that it's banned for the same reason that something a subdomain of amazonaws.com is banned - it's a user content domain controlled by the cloud provider and can get re-assigned at any time.

1 Like

OK, it seems it is not possible to get a third party certificate for this domain.
https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal

  • You cannot obtain a TLS/SSL certificate from a certificate authority (CA) for the cloudapp.net domain."

This virtual machine was installed four years ago and it got a nice simple URL :-). I made a new VM recently in Azure and it got a much longer URL - “something.westeurope.cloudapp.azure.com”. For this domain name there is no problem getting Letsencrypt certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.