Certbot Manual Issue Error


#1

Hi,

I’m attempting to obtain SSL certificates manually via certbot for my local development environment on Windows 10. Since certbot doesn’t work on Windows (yet), I’m using certbot installed on WSL Ubuntu 18.04 to get the certificate. Here is the command I’m using:

sudo certbot certonly --standalone --preferred-challenges http -d <my_hostname>

However, I’m getting the following error message

An unexpected error occurred:
Error creating new order :: Policy forbids issuing for name
Please see the logfiles in /var/log/letsencrypt for more details.

Please note that this development environment is on my Oracle laptop and the hostname is static and unique.

Any help would be most appreciated.

Thanks & regards,
Debojit


#2

Hi,

What’s the domain name?

Is it a public resolveable TLD (not internal domain)?
Is it a high Alexa rank site? Is it a financial domain?

Thank you


#3

Hi @debojit1986

you need a public visible domain name, not only an internal visible hostname.

Letsencrypt can’t create a certificate with an internal name or with an ip address.


#4

Hi,

As per my IT support, the hostname can be resolved over the internet, however, it doesn’t have a high Alexa rank (being the hostname of my own laptop). I’m trying to setup Let’s Encrypt ccerts for a local dev environment on my laptop.

Thanks & regards,
Debojit


#5

Ok.

Could you please provide us the domain name? (You don’t need to provide us the full hostname, just the domain name)

It might be blocked by let’s encrypt due to security precautions (since some domain might be sensitive, in a good way…)

Thank you


#6

Hi,

It’s DEBOSINH-IN.idc.oracle.com.

Thanks & regards,
Debojit


#7

Okay…

That’s the issue.

Oracle is definitely on the sensitive list.

You’ll need to contact a let’s encrypt staff to unblock it.

The staff group is @lestaff

They’ll request some information from Oracle to unblock it.

If you can’t pm them, you could also send a email to security @ letsencrypt.org

Or send a email to one particular staff member at
forumid@letsencrypt.org

Please note that only people in lestaff have a email address ending in letsencrypt.org

Thank you


#8

There is no A-record. So you can’t use http-01 - validation.

D:\temp>nslookup DEBOSINH-IN.idc.oracle.com.
Non-existent domain.


#9

Ah, I see now. I’ll get in touch with the team right away. Many thanks for the help and advice.

Thanks & Regards,
Debojit


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.