Certificate for the local ccTLD authority

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.nic.za

I ran this command: /usr/local/bin/dehydrated --cron --challenge dns-01 --domain nic.za --domain www.nic.za

It produced this output:

INFO: Using main config file /etc/dehydrated/config

Processing nic.za with alternative names: www.nic.za

“type”: “urn:acme:error:malformed”,
“detail”: “Error creating new authz :: Name does not end in a public suffix”,
“status”: 400

My web server is (include version): Apache (irrelevant, using the command line)

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: I am the hosting provider

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Nope - command line.

Done lots of certificates (and renewals) - so pretty sure the process is now correct - as are the tools.

I assume I’m being denied because most people can’t go creating an SSL Certificate for “nic.za” - because delegations in ZA are usually at the third level (foo.co.za - etc) - but this is a job for the ZADNA - the folk that control/manage the ZA Domain Name Space - and I need a Certificate for “nic.za”. I presume some “permission” tables need to be updated at Let’s Encrypt???

Let’s Encrypt uses the Public Suffix List, which lists the following suffixes:

// za : http://www.zadna.org.za/content/page/domain-information

Reading through the policy implementation in Boulder, I don’t see any way that the domain could currently be issued for, without za being added to the PSL.

Maybe wait for staff to clarify further :slight_smile:

1 Like

Thanks - I forwarded your message to the ZADNA.

Another example that I’ve thought of now and then is that we probably can’t issue a certificate for Vince Cate’s site at http://ai/ even though it would otherwise be quite legitimate.

So I’ve had the ZADNA update their web page

to include “nic.za”

(I’ve also suggested that the order should be alphabetical as well…:slight_smile:

The Domain “nic.za” is using my Nameservers and is DNSSEC Signed (DS
Record added to “ZA”) - so URL’s such as “whois.nic.za” are now DNSSEC

So who do I need to chat to at “Let’s Encrypt” so I can complete the SSL
requirements and get a Certificate?

Cool, now you have to bring this to the attention of the Public Suffix List maintainers


In this case because it is part of the ICANN section, you can propose it yourself as a third party:

Requests for changes to the ICANN section either need to come from the registry, or come with links to supporting official documentation.

Won’t OP’s certificate request still just fail the “domain must not be an ICANN TLD” check?

whois.nic.za would pass but not nic.za itself.

Maybe! @jsha, can a certificate be issued for nic.za once nic.za itself is on the PSL?

That leaves me stumped.

So I need to use git (I’m running Linux on a laptop - so have the tool
already), pull the existing list, edit it and then push it back.

Can you help just a bit please - I don’t use ‘git’ - neither am I quite
sure of the list to clone (is it
"https://publicsuffix.org/list/public_suffix_list.dat" ?)

and even then - where do I upload it to?

How do I present evidence as well? e.g. the URL where the “lists” have
been modified to include “nic.za

Pretty please, with bells…

The repository is hosted on GitHub:

You can submit the revision using just your web browser if you would like: login or create an account with GitHub, browse to the public_suffix.dat file, and click the pencil icon in the bar above the file’s contents. You can edit the file in your browser this way and submit the changes to the project’s maintainers for review, a.k.a. create a pull request.

Or if you really want to use git on the command line, this explains how to get started:


Thank you for those instructions. Logged in (I had a login already),
clicked the pencil, edit the file, added comments in the comment box and

I guess wait around? I’ve no idea if anyone will contact me. Assuming
the commitment is accepted - how long before “Let’s Encrypt” notices -
and I can continue on to create the SSL Certificate for the "nic.za"
Domain (a single certificate including: nic.za, www.nic.za, whois.nic.za)?

Usually a couple of weeks, but you can sometimes speed up the process a bit by bringing it up on this forum because the Let’s Encrypt operations people read it. :slight_smile:

@mje You need to go to https://github.com/mjelkins/list and open a pull request against publicsuffix/list.

(There should be a big button.)

Projects don’t usually monitor for new commits in new forks, they wait for pull requests, or sometimes other ways to submit changes.

I’m not certain adding “nic.za” to the list is the right thing to do. It would make whois.nic.za and www.nic.za effectively different domains, for example. Like whois.com and www.com.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.