Cannot get certificate for domain


#1

policy forbids issuing for: 'sts.adamwilliams.host'.

Any ideas why I’m getting this error and what I can do about it?

Edit: so apparently this is because *.some-name.host is assumed to belong to a hosting company customer, which seems to be a bit of a dumb assumption to make given it’s (it = the gTLD) just an arbitrary string. I own the parent domain, any way I can prove this?


#2

Hmm, that’s interesting. The error suggests the domain is blacklisted as a high-risk domain (think: paypal.<TLD>, etc.) for which Let’s Encrypt does not issue certificates. However, I can’t think of any reason why this would apply to your domain.

@jsha Any thoughts on what’s happening here?


#3

This is not the case. Can you share the information that led you to this conclusion, so I can correct the source?

I believe the actual error here is that you are trying to issue for 'sts.adamwilliams.host' (quotes included) rather than sts.adamwilliams.host (no quotes). Can you tweak your command line to fix the quoting?


#4

To go into a little bit more detail: The message you got applies only at certificate issuance time, not when you attempt to authorize your domain. That means that the client you are using correctly quotes the domain for authorization, but when generating the CSR to request a certificate, it incorrectly adds single-quote characters. What client are you using?


#5

This is not the case. Can you share the information that led you to this conclusion, so I can correct the source?

I was misinformed by another user on IRC. I linked them to this thread.

you are trying to issue for ‘sts.adamwilliams.host’

Just checked the CSR and you’re absolutely right.

Many thanks, you hit the nail on the head with the quotes. To further expand, it was an issue with a script designed for generating certs/CSRs/DH params etc needed for an IRCd. I think I’d have been better off doing all the OpenSSL stuff at the command line manually because this is not the first issue with said script. I thought it’d save some time, though.

The actual ACME client was ZeroSSL’s web application (I only wanted one short-lived testing cert) which did things properly as far as I can see.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.