Hi,
First time I'm getting a certificate like this. Not sure if I'm doing something wrong. I'm trying to get a certificate for an internal company server. The DNS name for this server is netbox.apexoe.fln.lab.dell.com. I'm getting a forbidden policy error. Any help would be appreciated.
Thx
I ran this command: sudo certbot -v -certonly --nginx
It produced this output:
sudo certbot -v certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): netbox.apexoe.fln.lab.dell.com
Requesting a certificate for netbox.apexoe.fln.lab.dell.com
An unexpected error occurred:
Error creating new order :: Cannot issue for "netbox.apexoe.fln.lab.dell.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.26.0
Well, CAA may also be a problem, but the error message here isn't that CAA forbids it, but the CA's policy. I'm guessing that dell.com is on their list of highly-important-but-not-yet-using-LE names that requires manual intervention on Let's Encrypt's part in order to allow.
If you're actually authorized to issue certificates for dell.com (that is, their IT is adding Let's Encrypt to the CAs that they work with), you'll need to go through the process listed here to remove the block (in addition to updating or adding CAA records):
Ok. Thanks for the responses so far but not sure if I'm closer to a solution. Again, this is for an internal lab server and I want to use HTTPS on the server. I could generate a self signed certificate but then users get the warning message when visiting the site. I'm not in a position to get Dell attorneys involved, etc... Is there anything else I can do to get this working? Thank you.
Another factor is that this domain name will need to be in the public DNS system for Let's Encrypt to issue a cert. I don't see any DNS A / AAAA entries for it (nor for apexoe or fln levels).
I just ran a test and this LE policy name restriction is checked before the DNS is verified.
You mention this is internal. This is more involved than just the LE policy for Dell. There are ways to get certs for use by internal servers but public DNS is needed for LE to ensure control of the domain..