Cannot Issue for ICANN TLD

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ms.gov.br
I ran this command:
certbot --nginx -d ms.gov.br

It produced this output:
{
"type": "urn:ietf:paams:acme:error:rejectedIdentifier",
"detail": "Error creating new order :: Cannot issue for "ms.gov.br": Domain name is an ICANN TLD",
"status": 400
}

My web server is (include version):
nginx 1.24

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

According to the Public Suffix List, the domain ms.gov.br is recognised as a top level domain (ICANN top level domain) for a state of Brazil, not a private domain. And Let's Encrypt doesn't issue certificates for ICANN top level domains.

7 Likes

And yet there exists:

Name:    ns.vs029.ms.gov.br
Address:  187.86.226.68
Aliases:  www.ms.gov.br

Name:    ms.gov.br
Address:  187.86.226.68

Go figure!

2 Likes

@rg305 The baseline requirements don't forbid such a thing. It's just LE doesn't allow it in Boulder. Not sure why though :slight_smile:

2 Likes

Maybe some other CA can provide them a cert for their base domain site.

2 Likes

Let's Encrypt doesn't issue for ICANN TLDs / Public Suffixes for two reasons:

  1. issuance for wildcard certificates under such names is expressly forbidden, and it's safer and easier to have the same policy for all names regardless of wildcard status; and
  2. issuance requests for such names are quite rare.

I'm sorry that you ran into this corner case and that your issuance request was denied. Some avenues open to you include:

  • request issuance for only www.ms.gov.br
  • get ms.gov.br removed from the public suffix list (do this only if people truly cannot register arbitrary subdomains under ms.gov.br)
  • use a different ACME CA who might have a different policy

We might also reconsider this policy, but any changes we make here would be slow and deliberate, so don't wait on us.

7 Likes

They do that already:
image

And their base domain does redirect to the secure "www".
It's just when anyone types "https://ms.gov.br", they don't have a cert for them.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.