Certbot returning forbidden by policy error

Hi,
First time I'm getting a certificate like this. Not sure if I'm doing something wrong. I'm trying to get a certificate for an internal company server. The DNS name for this server is netbox.apexoe.fln.lab.dell.com. I'm getting a forbidden policy error. Any help would be appreciated.
Thx

My domain is: netbox.apexoe.fln.lab.dell.com

I ran this command:
sudo certbot -v -certonly --nginx

It produced this output:

sudo certbot -v certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): netbox.apexoe.fln.lab.dell.com
Requesting a certificate for netbox.apexoe.fln.lab.dell.com
An unexpected error occurred:
Error creating new order :: Cannot issue for "netbox.apexoe.fln.lab.dell.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.26.0

Edit: I'm an idiot.

Your FQDN has no published CAA policy, and the dell.com one gets applied, which forbids Let's Encrypt from issuing.

You should add your own CAA policy.

% dig caa dell.com

; <<>> DiG 9.16.27 <<>> caa dell.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40123
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dell.com.                      IN      CAA

;; ANSWER SECTION:
dell.com.               600     IN      CAA     0 issue "entrust.net"
dell.com.               600     IN      CAA     0 issue "digicert.com"
dell.com.               600     IN      CAA     0 iodef "mailto:pkiadmin@dell.com"

;; Query time: 253 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Apr 20 01:02:43 CEST 2022
;; MSG SIZE  rcvd: 141

%

Well, CAA may also be a problem, but the error message here isn't that CAA forbids it, but the CA's policy. I'm guessing that dell.com is on their list of highly-important-but-not-yet-using-LE names that requires manual intervention on Let's Encrypt's part in order to allow.

If you're actually authorized to issue certificates for dell.com (that is, their IT is adding Let's Encrypt to the CAs that they work with), you'll need to go through the process listed here to remove the block (in addition to updating or adding CAA records):

4 Likes

(I mean, CAA is versatile. Any subdomain can just replace the policy for itself. RFC 6844 - DNS Certification Authority Authorization (CAA) Resource Record)

1 Like

Ok. Thanks for the responses so far but not sure if I'm closer to a solution. Again, this is for an internal lab server and I want to use HTTPS on the server. I could generate a self signed certificate but then users get the warning message when visiting the site. I'm not in a position to get Dell attorneys involved, etc... Is there anything else I can do to get this working? Thank you.

1 Like

Hi @asilver,

It might be sufficient to have a request from Dell's IT people rather than attorneys, although that may also be more trouble than you want.

Could you use a non-Dell domain name pointing to the same IP address, and then access the server using that domain name?

3 Likes

Another factor is that this domain name will need to be in the public DNS system for Let's Encrypt to issue a cert. I don't see any DNS A / AAAA entries for it (nor for apexoe or fln levels).

I just ran a test and this LE policy name restriction is checked before the DNS is verified.

You mention this is internal. This is more involved than just the LE policy for Dell. There are ways to get certs for use by internal servers but public DNS is needed for LE to ensure control of the domain..

3 Likes

Ok, Thank you everyone. I'll look internal to Dell.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.