Can’t obtain certificate for *.tk domain


#1

Hi there,

I’m trying to obtain a certificate for the domain seventies.tk, but I am receiving the following message:

Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error finalizing order :: policy forbids issuing for: “sevenbits.tk www.sevenbits.tk””, “status”: 400 }

I was previously able to obtain a working certificate for these domains without issue. I need a new certificate as I am using a new server. Were *.tk domains blacklisted?

If it helps, I am using the website sslforfree.com, which I previously used to obtain a Let’s Encrypt certificate without issue.


#2

Looks like a stray quotation mark was accidentally entered into the domain field at sslforfree.com and that confused it.

“sevenbits.tk www.sevenbits.tk

Please try again and remember to double-check that the domains are entered correctly before proceeding to verification.


#3

@sevenbits use this URL to try again. (Will save you from entering domains)
https://www.sslforfree.com/create?domains=sevenbits.tk+www.sevenbits.tk


#4

So, it looks like the issue was a result of trying to use my own CSR. I generated my own 4096-bit private key and then derived a CSR from that key, which failed with the above error. But it works when I have the website generate the private key and CSR for me.


#5

Hi @sevenbits,

What command/process did you use to generate the CSR? I bet that you accidentally included a subject alternate name or a subject common name that had the two domains improperly concatenated.

If you share how you made the CSR its likely we can help fix it to work with sslforfree.com.


#6

2 posts were split to a new topic: Help with a .tk site


#7

I generated the CSR with the standard Linux openssl commands. I don’t recall the exact commands, but I generated a 4096-bit RSA kit and then created a CSR from that key. The common names on the CSR were sevenbits.tk and www.sevenbits.tk.


#8

It sounds like it inadvertently contained one Common Name field with the invalid name “sevenbits.tk www.sevenbits.tk”.

You should put one of the names in the Common Name, and then both names, individually, in the Subject Alternative Names list. (Leaving the Common Name out may also work, I don’t remember.)

Unfortunately openssl makes this a hassle. You can use a command along the lines of this post:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.