I don't see a CAA record or policy anywhere on their domain.
I am utilizing the letsencrypt client on Centos via “letsencrypt certonly”.
In the logfile appears the following Error message:
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
"detail": "Error creating new order :: Cannot issue for "talentcommunity.bnymellon.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy",
I would like to ask if it is possible to change the policy so that I am allowed to request certificates for these subdomains? I'm guessing this might be policy because of this Bany orgnaization.
Correct. Jibe.com & jibeapply.com are my domains, but we don't have a CAA policy that would deny let's encrypt. I've issued LE certs to several other client domains that are cnamed to the same endpoints. We're hosting career portals for these customers and have started migrating domains to LE certs to reduce client friction with renewing certs annually. Of the 300+ certs that we are hosting, only a handful have CAA policies that deny LE. We're only generating new certificates as each come up for renewal. I'm still cleaning up the automation, but this is the first domain that was blocked by a policy that didn't appear to be defined via CAA record.
we're a vendor for the bank's hr group, I've never actually talked to the bank. we have middle men for that. I'll just add bnymelon to a new list of exclusion domains so that I'm not constantly trying to provision this domain that doesn't have CAA records.
Yep, @orangepizza is right - this message isn't related to CAA, it happens when we have a domain blocked. Most commonly that's because we've marked it as a high-risk domain. @seawhy, your approach of excluding that domain is the right one.
@jsha i know that domains who were overzealously blocked can appeal to have the blocklist altered, but is there a mechanism for the legitimate high risk domain owners to work with letsencrypt? there was a thread about the Iranian ubuntu site being accommodated before, but I haven't heard of any finance companies.