Correct zName not found for TLS SNI challenge


#1

When I try to renew my certificate I get the following error:

Error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: Name is blacklisted


#2

Are you happy to say what your domain name is ?

I know there were some modification of the blacklisted names, and a few got caught up by accident.


#3

Yeah this is always an problem here that people do not like to tell the domain.Even if it is not an blacklist problem.


#4

65shelbycobra.com is the domain on the certificate that expires next sunday


#5

@jsha can you tell something about this name ?
This is neigther banking related nor software.


#6

This error looks kinda bogus. I’m checking the logs, and can’t find the actual blacklist failure for your domain.

Can you post the exact command you used and some of the log output?


#7

Command: ./letsencrypt-auto renew

log output:

2016-02-29 17:38:38,780:DEBUG:acme.client:Storing nonce: 's\x85\x19@\xd8\xf4\x9c\x8bn%\xce@kJ.\t\x8bf\xc7\xa7\xee\xf5\xe1r1\xb5; \xc2\x95\xcb)'
2016-02-29 17:38:38,780:DEBUG:acme.client:Received response <Response [400]> (headers: {‘Content-Length’: ‘107’, ‘Expires’: ‘Mon, 29 Feb 2016 17:38:44 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Mon, 29 Feb 2016 17:38:44 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘c4UZQNj0nItuJc5Aa0ouCYtmx6fu9eFyMbU7IMKVyyk’}): '{“type”:“urn:acme:error:malformed”,“detail”:“Error creating new authz :: Name is blacklisted”,“status”:400}'
2016-02-29 17:38:38,781:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 1987, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 663, in run
lineage, action = _auth_from_domains(le_client, config, domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 458, in _auth_from_domains
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 252, in obtain_certificate
return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 225, in obtain_certificate_from_csr
authzr = self.auth_handler.get_authorizations(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py”, line 74, in get_authorizations
domain, self.account.regr.new_authzr_uri)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 216, in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authz_uri)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 196, in request_challenges
response = self.net.post(new_authzr_uri, new_authz)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 644, in post
return self._check_response(response, content_type=content_type)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 560, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: Name is blacklisted


#8

regarding the name it is my personal “Owncloud” server on AWS


#9

@Hackerace Hi, you log contain the stacktrace but more interesting would be the query that cause the error.
The log only contain the part after the error. Good would be the last request before
:“Error creating new authz :: Name is blacklisted”,“status”:400}'
Maybe you had bsome other domains for testing that are now rejected.


#10

Wait, is it possible that owncloud is on the list?


#11

Just checked - no, it isn’t.


#12

you wait.
it DOESNT log the domain names (especially when seeing a blacklist error)?

but owncloud cant be on the list because renew was used, aka renew a cert that already exists and I cant believe that owncloud can have a cert in the first place.


#13

Okay, so I worked with @jsha to check the logs.

What actually happened was you tried to issue a certificate for ec2-54-200-36-86.us-west-2.compute.amazonaws.com. That’s an Amazon domain, so it’s on the high-risk list.


#14

but wait.
compute.amazonaws.com is on the PSL, (I literally just checked) so there shouldnt be THAT much risk, since amazon officially acknowledges this as public domain.


#15

Maybe we should have a further discussion about this particular case (maybe including folks from AWS), but being on the PSL doesn’t override the blacklist (even if it would have overriden the rate limit).


#16

I think we should have an discussion at least WHAT is on the blacklist even if not all names mentioned.
I can remember you said in the past that it only contain about 200 domains that are relevant for banking.


#17

and the domain says amazonaws.com and not aws.amazon.com and I am certain that IE and firefox (dunno about others) at least highlight the root domain making it more obvious that it is not directly amazon.


#18

You really want someone to be able to grab a cert for every *.compute.amazonaws.com just by starting free-tier instances until they’ve cycled through all the available IP addresses? Remember it’s on the PSL so the rate limit wouldn’t stop them.


#19

sothose names are IP based?
I thought every machine gets a URL based on the ID of the instance.


#20

They are IP based, and they get reused as instances are stopped and new ones started up.