Cannot issue for "": Domain name is an ICANN TLD

Sadly, I'm unable to confirm your ownership:

And I'm not certain what update you speak about within the PSL.

But these things need to be sorted out with LE directly.
They do monitor this community but the majority of posts are from the community members/volunteers.
So you will have to wait for one of them to respond about the message:

I'll ping a few that should be able to help you (or find those that can):
@jsha @aarongable @_az

1 Like

And while we wait on them...
There are some issues with your DNS provider (at least with some of their EU systems): | DNSViz
[even with the .YE TLD itself - perhaps you could better use a .yemen TLD instead - LOL]

1 Like

It's difficult to get any information about the .ye TLD, but from Wikipedia:

Registrations are made at third level beneath several second-level names

This suggests it isn't even possible to own, as it isn't a third level name. It's lacking one of the listed second-level names. Unfortunately, no source was listed.

Strangely enough your domain name in fact does resolve to an IP address.. :stuck_out_tongue:

1 Like

Hello there,
We are the system administrators for the ccTLD .ye domain name; and thus, any subdomain under .ye
We updated the Public Suffix List to merge ye to the list as seen in my colleague snap-shot.


First-level domains under ye stopped being considered public suffixes only very recently: 3 days ago. It might take a couple of weeks for that change to make it to Let's Encrypt in production.

I've filed to update the list.


Hello @razehrah,

I suppose this comes from Question: Problem with issuing SSL certificate under .ye domain

Keep in mind that PSL has been updated 3 days ago and boulder (Let's Encrypt) has not been updated yet to use the updated PSL so it could take a while but @lestaff could give more info about this issue.

Edit: as usual, @_az is faster than me :wink:



So the (first I think) "2" in {2, "ye", 2, false}, from the previous version of the list meant that second level names were also counted as TLDs? 2 is the "Wildcard" type, i.e. *.ye. That would be in line with the (unsourced) Wikipedia statement indeed.



Do you know how long it will take?

I really appreciate your help.
Thank you so much,



We appreciate your update, please.

Thanks a lot



First, the pull request needs to be approved (not really a big deal I suspect). Next, it needs to be released into a Boulder release. As far as I can remember, this follows a weekly schedule with first updating the staging server and the week afterwards the production server. But this may be old information, the staff can correct me on this :slight_smile:

I'm afraid chances are great that this cannot be rushed.


I must agree. Only security and flaw type fixes should ever be rushed.

There should be no dire business need to have an LE cert in place today for a site that just went up a few days ago. If there is such a need, try other CAs - one might be able to help today.
I also don't see how a scheduled change should be considered as being critical and expedited to anyone concerned.

Was there no previous secured site?
Can't you just redirect to ?
[until you can get a cert for]

1 Like

Hi @razehrah,

This change will likely be live next week, by the end of the week, in production. Thank you to @_az for filing the PR!

You can follow the changes/updates here:

Fundraising Specialist at Let's Encrypt


@jple Not every change goes through staging first before deployment in production?

1 Like

I believe most changes do but will let the Dev team comment on that. I think the idea would be to bake it this week and move it to prod next week, depending on the availability of our team.


Although this community forum is active at all times, LE staff are full time employees who don't work weekends :slight_smile: We'll look at the relevant PR here as part of our normal development activities.

Every change goes through staging first, Jenessa was simply giving the time at which it would likely be available in production.


@jple Ah, next week indeed, I read "by the end of the week" but skipped over the "next week" part before that :wink: Sorry for the noise!


Hello everyone,
Is there any update, please?

1 Like

Are you still seeing the same error message?:

And for anyone who doesn't get why this should not be allowed.
Think about wildcards and how they work for a second.
Now apply that to any TLD... like DOT COM:
Should anyone ever trust a CA issued cert with the SAN entry *.com ?


Production is now running e0510056, which includes the updated PSL. You should be able to request a certificate now.


@razehrah, seems you finally got it :wink:

CA  CERT TYPE   DOMAIN (CN)  KEY ALG      VALID FROM             VALID TO               EXPIRES IN  SANs
R3  Final cert    RSA 2048bit  2021-Feb-03 05:50 UTC  2021-May-04 05:50 UTC  89 days     *