Certbot attempts to include an excluded host in the certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I have an Apache VertualHost for server-status and it includes TLD that is defined in my local DNS server.

When I run certbot and it asks me which names I want to activate HTTPS for, I exclude that name.

Certbot attempts to include it in the certificate anyway and the generation fails.

My domain is:


I ran this command:

sudo certbot --apache

It produced this output:

sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: glcwh.com
2: glcwh.bcs
3: local.glcwh.com
4: www.glcwh.com
5: glcwh-status.bcs
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2,3,4     # NOTE THAT 5 IS EXCLUDED
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "glcwh.bcs": Domain name does not end with a valid public suffix (TLD)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):

Apache V2.4.29

The operating system my web server runs on is (include version):
Ubuntu Server V18.04.5 LTS

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don’t know):


I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot V1.7.0

Hi @dpatterson

please read your error message.


not a public suffix (like .com, .net, .org etc.), so you can’t create a certificate with that domain name.

1 Like

Never mind. I failed to notice that are two names with the bcs TLD.

Sorry for the noise.