acme.messages.Error: urn:ietf:params:acme:error:rejectedIdentifier :: The server will not issue certificates for the identifier :: Problem(s) occurred while validating identifiers within the new-order request, see the subproblems field for specifics.
Problem for 191.203.30.34.bc.googleusercontent.com: urn:ietf:params:acme:error:rejectedIdentifier :: The server will not issue certificates for the identifier :: These domain names are listed as protected: googleusercontent.com
My web server is (include version):
image: nginx:latest
The operating system my web server runs on is (include version):
That's the google Certificate Authority server not Let's Encrypt. While someone here may offer help anyway we focus on problems getting and using Let's Encrypt certs.
You might try a google CA forum or maybe even the Certbot github
Just wanted you to know you might not see a lot of help offered here for that problem
I agree with Mike, please refer to the Google CA support channels for help with their ACME service.
Also, I know Let's Encrypt doesn't issue certs for certain, I believe Amazon/AWS, domains with a similar construction with the IP address in front of it. This due to the often ephemeral nature of the ownership of these hostnames, which can be significantly shorter than the 90 day lifetime of a Let's Encrypt cert currently. So I could imagine Let's Encrypt also not issuing certs for these ip.ad.dr.ress.bc.googleusercontent.com hostnames.
Thank you for your response. I've been successfully using "certbot / letsencrypt" for the past year to get certificates for my Google GKE test cluster using the googleusercontent.com domain names without issues. This seems to be new behavior. Thanks.
What were the hostnames which succeeded in the past?
By the way, currently the CAA RR for googleusercontent.com does not allow certs to be issued by Let's Encrypt:
googleusercontent.com. 86400 IN CAA 0 issue "pki.goog"
If subdomains of that domain do not contain any CAA RR (there's none for the bc subdomain anyway), this CAA RR will be used. So no Let's Encrypt possible (currently).
I've been using 191.203.30.34.bc.googleusercontent.com, or a similar address in the past. The hostname changes whenever I allocate a new external IP address on Google Cloud, because the hostname contains the IP address in reverse, but it's always been "*.googleusercontent.com". Thanks.
It can be really confusing that certbot directs everyone here for support, even when using other CAs. But it looks like the Google CA intentionally is no longer issuing for those names. You'd probably have to contact them or dig through their documentation to try to figure out whether it's some temporary block, or if they want you to do something different instead.
Usually, though, these kinds of ephemeral names are not really intended for use for browsers to connect to directly, and you'd set up an actual hostname to point to it, which is what you'd be getting a certificate for.
Thank you Peter. These are GKE test clusters I'm creating, so I don't have a dedicated hostname. I simply allocate an external IP address with Google Cloud, then do a reverse lookup to get the hostname associated with that address. This has been working fine for me for the past year, and only started to fail now. Thanks.
