Certbot Not Able to Issue Certificate - Site marked as unsafe Google Safe Browsing

What anti-social methods is let’s encrypt using?

That is pure harassment and wrong accusations.

Let’s Encrypt trust the Google, and Google wrongly accuses the domain to be “unsafe” without any evidence to it.

Let’s Encrypt shall review its policies and not trust Google for that matter.

Also the previous domain owner did not have just nothing “malicious” on the website. I was checking it and there was nothing.

It is unfounded and wrongful accusation.

Not suitable for ethical project such as Let’s Encrypt

The FAQ I linked to covers the methods Google uses to determine if a site is malicious, and also what you can do if you disagree with their assessment.

You should contact Google through the Webmaster Tools dashboard to discuss your website & any erroneous results. We won't be able to help you in this forum.


If you authenticate ownership of the domain through Google’s Webmaster Tools, you’ll get detailed information on why your site has been marked as “unsafe” including specific evidence with URLs.

The site in question was never malicious. It was reported by Google as malicious. Those are 2 different statements, express yourself precisely.

I remember why it was reported as malicious, it was possible to use the browser to simply report it, without any evidences. One person who was receiving emails from the site, was jealous on one of the services, and claimed to block it, so he did it. They organized, clicked few times, reporte it as such, and since then it was the case I remembered this today.

Google did not have just any evidence for blocking the website.

By the way, why is the user forced to open Google account, to receive the service from Letsencrypt? It should not be so.

And Letsencrypt shall not have the policy of accusation without evidence.

Blind belief to Google? LOL.

I have over here 68 reports of spam, harassment, scam and phishing, that was sent to Google, and for multiple and repeated Google Mail users, and Google does not act on it. And now I see this important organization blindly believes to Google.

If this Letsencrypt organization is transparent, may I see the contract that Letsencrypt and Google has signed?

What is the exact business relation between Letsencrypt and Google?


Thank you for helping. Yet it is not true.

FIrst, Letsencrypt basically forced me to open up Google account, I find it discussing and also unpleasantly surprising that Letsencrypt relies on Google.

I remembered that this happened even before 2 years or longer, when I had control over website. In the mean time, somebody else had control, and Google never unblocked the website automatically. That means Google accepts false reports by users, blocks the website, and does not take any measures to re-verify it until the webmaster is opening Google account.

The world is not Google, and we have good business also without Google account and their nasty and controlling services.

It is wrongful accusation by Google. Alright.

But why is Letsencrypt participating in such?

Letsencrypt neither Google obviously do not use the principle of evidence to accuse a party.

Are we back in the middle ages?

As far as I am aware, you can report a problem, but it will be verified before you are placed on the safebrowsing list.

Most users won't need to because there aren't any issues with their site. It's certainly not a requirement to use Let's Encrypt.

There probably isn't a formal contract. Google has a public SafeBrowsing API that can be used.

Let's Encrypt doesn't want to issue certificates for hacked and marked phishing domains. At the least, they have a bit of a need to ensure some level of checking. There aren't a lot of ways to do this. You could use Google's SafeBrowsing data or a similar service, like the one that is offered by Yandex. SafeBrowsing is generally considered high quality and quick, so it's a good fit. The only other method is to have real humans review each request, which eliminates the focus of Let's Encrypt on offering automated and free certificates. Alternately, you could just not offer any kind of quality control, which would likely get you removed from browser trust stores quickly, killing the service.

If it's wrongful, then it's an easy fix. See the details of why Google has you on the SafeBrowsing list and protest that.

How do you know without looking at the details for why you're on the list?

Either way, it looks to me like the domain isn't on the list anymore, using the public Site Status tool. Maybe you can try to make the request again?

Also, if you're that unhappy with Let's Encrypt, there are several paid providers you could turn to for a certificate.

1 Like

I have reviewed the Let’s Encrypt policies and did not see this connection and reliance on unreliable Google Safebrowsing Policies.

I have seen that Let’s Encrypt is keeping the list of blacklisted or malicious domains, however, there is no transparency to that list.

It says here:

4.2.2 Approval or rejection of certificate applications

ISRG maintains a list of high-risk domains and blocks issuance of
certificates for those domains. Requests for removal from the high-risk
domains list will be considered, but will likely require further
documentation confirming control of the domain from the Applicant, or
other proof as deemed necessary by ISRG management.

And such list shall be transparent, visible, published.

The organization such as Let’s Encrypt shall be transparent in consistency with the other policies and principles.

There are numerous public references that websites can be wrongly marked as being malicious:

Accusing a website to be malicious may be a legal liability.

Thus when Google is wrongly accusing websites – and is not reliable, I do not see by which Let’s Encrypt policy shall Let’s Encrypt be liable for same wrongdoings that Google is conducting? I am asking, let me know where is that policy?

According to what I have read here:

under section 1.4.2 Prohibited certificate uses

“Also, note that Certificates do not guarantee anything regarding
reputation, honesty, or the current state of endpoint security. A
Certificate only represents that the information contained in it was
verified as reasonably correct when the Certificate was issued.”

In that sense, if Let’s Encrypt is not guaranteeing the reputation of the end point security, it shall also not make attempts to guarantee the reputation security by accessing and consulting otherwise not reliable services such as Google Safebrowsing

By the way Google Site Status said: they cannot isolate the code that was malicious and I am repeating that my website was not malicious, it was marked as such by users.

We wish to have ethical services and not corrupt services. If Google is corrupt, Let’s Encrypt need not follow the path.

Or is obliged to do so, due to donations?

The situation Let’s Encrypt is facing is the following:

  • The Baseline Requirements, root store policies (browser/OS vendors) and user expectations based on how other CAs have been operating require that they do at least a minimal amount of work to block certificate issuance for malicious sites. Not doing so could lead to root programs distrusting Let’s Encrypt. Even with the Safe Browsing check in place, Let’s Encrypt is facing a lot of criticism for issuing certificates to phishing sites.
  • Maintaining such a service internally is not realistic and (even if we ignoring the cost issue) would either cause far more false positives than the currently solution or be not effective at all, increasing the risk of being distrusted.
  • Manual verification is out of the question for a free CA.

That leaves us with third-party options like Google’s Safe Browsing. While alternatives do exist, none of them are immune to false-positives, so there’s little reason to switch to one of those. Based on the amount of posts here that turn out to be related to this, the number of issues caused by this check is very low and in all cases I’ve seen so far, the domain owners were able to resolve the issue within a few days.

Let’s Encrypt has made their position on this topic clear and would probably be happy to remove the check once the rules change, but as they’re not the ones making the rules, that’s not up to them.


It looks like you're not willing to take time to investigate and verify everything is okay, so I really don't think I'm going waste much more of my time on this topic. Just a few notes though for clarification:

That's not linked to the SafeBrowsing and any other "malicious" checks, as far as I am aware. That particular policy is to block certificates for domains like "bankofamerica.gr", "wellsfargo.in" or similar obvious high-risk domains for financial and large brands where real damage could be done. I think it's been mentioned before on the forums that LE is considering making the list public, but there are some risks with doing so and it's not high priority.

I've had that happen before, but it usually gives one or two pages where the detected problem exists. Perhaps you could spend a little time looking at the source code and seeing if there is a legitimate problem in them. If not, there's a "review" link to request the removal of the site from the system if it is indeed clean.

1 Like


Do not claim that our website was malicious. I am not against the policy to block malicious website. I am against the wrong accusations and relying on services which are clearly not reliable such as Google Safebrowsing or WOT.

That somebody makes criticism for issuing certificates to phishing sites is not related to the security of communication, it is SSL certificate and not certificate of trust, right? So, it should not make attempts to provide the trust.

It is not the SSL certificate committing the crime but criminal.

The law and judgment of which website is malicious or not – shall be left to the law, and courts.

In my opinion it is absolutely not necessary to check “what those people are communicating” by using SSL certificate. It shall be available to criminals equally, as it is not on Let’s Encrypt to judge who is who.

This what I am mentioning is more legal issue, so it shall be delegated to the attorneys of Let’s Encrypt. My viewpoint comes from the legal aspect.

The analogy is:
Should then the PGP key be issued only to people who are not criminals?


I remembered, that once our website in past got blocked, it was by the discover of malicious user, who was jealous, and who promised me to block the website. Then they got together and somehow reported it through browser, and it got blocked in Facebook, by using WOT and Google Safebrowsing. There was no download at all on the website, and there was absolutely no virus, or similar. Further, we use only free software any try to minimize Javascript or not use it at all. And 99.99% pages are static HTML.

Google did not give any information why is our website malicious, it was something like “The code could not be isolated” message in the Google console. So there was no proof or evidence that website was malicious.

Google was wrongly accusing us, which is legal issue.

Let’s Encrypt has wrongly accused us, based on Google, which is legal issue.

Instead of being the real ass and going into the court, I am bringing the issue over here. When a website is accused of being malicious, loss of sales may incur, “profit” loss, or damages and other issues that are usually brought to courts. Google Safebrowsing is already considered by some online testimonials to deserve the class action lawsuit.

Let’s Encrypt shall not rely on any third party service.

If the website is rejected for the issuance of the SSL, then the clear information and evidence shall be RECORDED, and kept for future until matter is solved.

I have got the message that website was reported by third party as being malicious, that third party was not identified by cert-bot and inside of the logs, there was no information why the website is malicious.

Once again, your assumption is wrong, incorrect, that Google is “right” and I am not right. There was never and absolutely no evidence within Google console that there was anything malicious. I do not have screenshots to prove.

It seems to me that Google just as WOT and other “watchdog” websites serve the only reason to advertise themselves and their own services.

Let’s Encrypt shall not rely on unreliable third party, to user not identified third party services. It shall be transparent in the process of obtaining or rejecting certificate. cert-bot did not inform me what happened, I found it on this forum.

Other similar incidents:

What if this happens? Is then all SSL issuance in risk?



I did not claim that your site is malicious. I couldn't say. I made multiple references to false positives being a possibility in any such system, including Safe Browsing.

The question is not whether you, Let's Encrypt or I think that the availability of transport-level encryption should depend on the perceived trustworthiness of a site. I strongly dislike the idea of forcing CAs to be content watchdogs, and going by their blog post and other communication, Let's Encrypt does too.

Unfortunately, none of that matters. It's important to understand how the Web PKI works in this context. The CA/B Forum and the root programs get to make the rules, and as long as they have rules for phishing and malware sites, there's little Let's Encrypt can do as a CA, other than lobby for a policy change. I don't think the root programs are breaking any laws by making those rules, but then again I'm not a lawyer.

This analogy does not fit because issuing a PGP key does not establish trust by itself, whereas a certificate issued by Let's Encrypt is automatically trusted by all mainstream browsers. A more fitting analogy would be a self-signed certificate.



Sure, thank you for the comment.

Let’s keep in mind too, that Let’s Encrypt is pretty new and that none of the commercial SSL issuance services which verified only the domain, stopped issuing the SSL service because the website was marked by “third party” (unidentified) as being malicious. Not that I know it.

Other CAs might not necessarily use Google’s Safe Browsing (though I would imagine some do), but it’s unlikely that there are CAs out there that don’t at least use a similar internal or third-party service, unless their issuance process includes manual vetting. Many commercial CAs offer other security products and could operate something like that internally. As we probably all know from the monthly “$AV_VENDOR bricked hundreds of PCs” news reports, they’re just as prone to false-positives.

1 Like

Just looked up www.poslovne-usluge.com in Google Safe Browsing’s Site status page (see https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=en#url=www.poslovne-usluge.com), and it shows “No unsafe content found”, and “This info was last updated on April 29, 2017”. Looks like they’ve changed their status for your site today, and you should be good to go.

1 Like

I'm going to assume that you're not a native English speaker, because in English, you'd be way out of line in saying this (and many other similar statements you've made in this thread). You don't get to dictate policy to Let's Encrypt. You can advocate for what you think policy should be (though you really haven't done this either, other than to repeatedly state that they "shall" do what you think they should do), but they're a private CA and can run their affairs as they see fit--neither you, nor I, nor any of their other users really have a vote. There are plenty of other CAs out there if you don't like their policies.


Yes, thank you, that is because I had to make Google account and clear it. In that process, Google did not give any information why it was marked as malicious, so their wrongful accusation was not founded.


It really does not matter what is my native language.

What the point is:

  • wrongful accusation by Let’s Encrypt, based on unreliable and inaccurate Google service.

Now, when somebody wrongfully accuse another person may become legally liable. That is why the civilized countries, like English speaking countries, do not put people in prison if there are no evidences. Ask your attorney to explain you what I mean. It is better to have person free, even if the one has committed the crime, than to wrongfully accuse the person. Society must have certain ethical and moral rules on how to judge people.

Google is not following such, so it is clear from my references that Google is marking websites as malicious without evidences. This also was clear to me when I entered Google console and where Google displayed that the malicious code “could not be isolated”. So their process and tagging websites is not transparent, and not in accordance with civilized societies.

It should be clear, that me, as user of this forum “cannot dictate policies of Let’s Encrypt” – certainly so, as otherwise I would already be modifying the policies, and simply publish it. That is dictating.

Google does not have this kind of dialog with their users. They are simply wrongfully accusing parties and go with it, they are large company, so who dares to sue Google?

What I am writing, and not dictating, is that Let’s Encrypt shall be transparent and not follow the wrongful accusation practice conducted by Google.

When website is wrongfully accused to be malicious, it looses orders, clients, money, business…

To be tagged malicious it may easily be considered by public to have illegal or criminal activity.

Such wrongful accusation are not in the level and kind to the Let’s Encrypt.

While it is easy to consider such websites, tagged by third party’s non-transparent process, just as yet another number and of “no importance”, the real people are behind it and families can be destroyed due to such accusations.

Let’s Encrypt need an attorney who is to stress what means Innocent Until Proven Guilty

Or is Let’s Encrypt to follow the path so that something as the following may happen?

There is good EFF article on what is online libel and defamation:

Conveniently, I'm an attorney (in the U.S., whose law governs your dealings with LE), so I know a thing or two about legal liability. And no, there's no legal liability if I, a private individual or company, privately accuse you of something, whether or not I'm right, and whether or not I have any decent reason to believe that it's the truth. I can tell you, privately, that I think you're a murderer, without any reason to believe that's true, and there's no legal liability created there. And to the extent that Let's Encrypt is accusing you of anything, they're doing so privately.

Secondly, Let's Encrypt isn't accusing you of anything. They aren't saying, "your domain serves malicious content"; they're saying (correctly) that Google has flagged your domain as serving malicious content. Truth is an absolute defense against a claim of defamation. So even if Let's Encrypt were making that statement publicly, it would not expose them to liability.

Third, even if LE were publicly claiming that your site were malicious, that probably wouldn't expose them to liability, as it probably wouldn't be negligent of them to believe that Google was correct. This is a weaker point, though, and would need to go to a jury (the above two points wouldn't get that far).

Fourth, the principle of "innocent until proven guilty" means that the government cannot punish you for a crime until they have proved your guilt, and the burden is on them to prove it. It doesn't mean that a private entity can't refuse to serve you for any, or no, reason (with a few exceptions that have nothing to do with guilt or innocence of anything). You don't have a right to a trial and proof of your guilt before a business decides you're too risky to do business with.

Fifth, your issue here is with Google. If there's any affect on your orders, clients, money, business, etc., it results from Google listing your site as malicious, not from LE refusing to issue a cert because of that listing. People and companies sue Google all the time, sometimes even successfully. You may or may not have a case against them (ask your attorney if you want to pursue that), but that's where your issue is.

I bolded the important part. When you say "shall", you are dictating. You are stating what must be, as though you have authority to require it. That's (part of) why I gave you the benefit of the doubt and assumed you weren't a native English speaker, as that could explain your misuse of the word. If you're trying to state your beliefs on what policy should be, "should" would be a more appropriate word to use.

Indeed there is. If you'd read it before posting, you wouldn't have repeated the ridiculous assertion that Let's Encrypt exposes themselves to any liability by refusing to issue a cert to sites who are listed by Google.

The fundamental issue is that users have been (wrongly) conditioned to associate the padlock with a trustworthy site. They shouldn't do so; it doesn't mean that, and never has. But nonetheless, they do. CAs can take a variety of approaches to try to deal with this; this is the method LE has chosen. They have a blog post on the subject here which explains their stance. I'm not sure I completely agree--I tend to think a CA should issue a cert to anyone who can demonstrate domain ownership--but their CA, their rules.