Cannot issue for "": Domain name is an ICANN TLD

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
Issue new Lets Encrypt certificate

It produced this output:

Could not issue an SSL/TLS certificate for
Could not issue a Let's Encrypt SSL/TLS certificate for .
Perhaps this domain is at risk group and is blacklisted on the Let's Encrypt side.
See the related Knowledge Base article for details.
Invalid response from
Type: urn:ietf:params:acme:error:rejectedIdentifier
Status: 400
Detail: Error creating new order :: Cannot issue for "": Domain name is an ICANN TLD

The operating system my web server runs on is (include version): cloudlinux

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obsidian

1 Like

Is that your actual complete domain name: "" ?

If I own "", that doesn't mean I can get a cert for just "com".

1 Like

Yes it is my actual domain.

in fact, I just recently update the public suffix list

1 Like

Sadly, I'm unable to confirm your ownership:

And I'm not certain what update you speak about within the PSL.

But these things need to be sorted out with LE directly.
They do monitor this community but the majority of posts are from the community members/volunteers.
So you will have to wait for one of them to respond about the message:

I'll ping a few that should be able to help you (or find those that can):
@jsha @aarongable @_az

1 Like

And while we wait on them...
There are some issues with your DNS provider (at least with some of their EU systems): | DNSViz
[even with the .YE TLD itself - perhaps you could better use a .yemen TLD instead - LOL]

1 Like

It's difficult to get any information about the .ye TLD, but from Wikipedia:

Registrations are made at third level beneath several second-level names

This suggests it isn't even possible to own, as it isn't a third level name. It's lacking one of the listed second-level names. Unfortunately, no source was listed.

Strangely enough your domain name in fact does resolve to an IP address.. :stuck_out_tongue:

1 Like

Hello there,
We are the system administrators for the ccTLD .ye domain name; and thus, any subdomain under .ye
We updated the Public Suffix List to merge ye to the list as seen in my colleague snap-shot.


First-level domains under ye stopped being considered public suffixes only very recently: 3 days ago. It might take a couple of weeks for that change to make it to Let's Encrypt in production.

I've filed to update the list.


Hello @razehrah,

I suppose this comes from Question: Problem with issuing SSL certificate under .ye domain

Keep in mind that PSL has been updated 3 days ago and boulder (Let's Encrypt) has not been updated yet to use the updated PSL so it could take a while but @lestaff could give more info about this issue.

Edit: as usual, @_az is faster than me :wink:



So the (first I think) "2" in {2, "ye", 2, false}, from the previous version of the list meant that second level names were also counted as TLDs? 2 is the "Wildcard" type, i.e. *.ye. That would be in line with the (unsourced) Wikipedia statement indeed.



Do you know how long it will take?

I really appreciate your help.
Thank you so much,



We appreciate your update, please.

Thanks a lot



First, the pull request needs to be approved (not really a big deal I suspect). Next, it needs to be released into a Boulder release. As far as I can remember, this follows a weekly schedule with first updating the staging server and the week afterwards the production server. But this may be old information, the staff can correct me on this :slight_smile:

I'm afraid chances are great that this cannot be rushed.


I must agree. Only security and flaw type fixes should ever be rushed.

There should be no dire business need to have an LE cert in place today for a site that just went up a few days ago. If there is such a need, try other CAs - one might be able to help today.
I also don't see how a scheduled change should be considered as being critical and expedited to anyone concerned.

Was there no previous secured site?
Can't you just redirect to ?
[until you can get a cert for]

1 Like

Hi @razehrah,

This change will likely be live next week, by the end of the week, in production. Thank you to @_az for filing the PR!

You can follow the changes/updates here:

Fundraising Specialist at Let's Encrypt


@jple Not every change goes through staging first before deployment in production?

1 Like

I believe most changes do but will let the Dev team comment on that. I think the idea would be to bake it this week and move it to prod next week, depending on the availability of our team.


Although this community forum is active at all times, LE staff are full time employees who don't work weekends :slight_smile: We'll look at the relevant PR here as part of our normal development activities.

Every change goes through staging first, Jenessa was simply giving the time at which it would likely be available in production.


@jple Ah, next week indeed, I read "by the end of the week" but skipped over the "next week" part before that :wink: Sorry for the noise!


Hello everyone,
Is there any update, please?

1 Like