Denied by policy, but no policy

Hello,

I am trying to request a certificate for one of the domains (bnymellon.com) owned by the organization I am working for.

The subdomains I use in the request is: “talentcommunity.bnymellon.com” and “jobs.bnymellon.com”.

I don't see a CAA record or policy anywhere on their domain.

I am utilizing the letsencrypt client on Centos via “letsencrypt certonly”.

In the logfile appears the following Error message:
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
"detail": "Error creating new order :: Cannot issue for "talentcommunity.bnymellon.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy",

I would like to ask if it is possible to change the policy so that I am allowed to request certificates for these subdomains? I'm guessing this might be policy because of this Bany orgnaization.

Thank you very much!

Hi @seawhy, and welcome to the LE community!

It seems that your domain is responsible for that policy:

dig +short CAA talentcommunity.bnymellon.com.
talentcommunity.bnymellon.com.cc.jibe.com.

dig +short CAA jobs.bnymellon.com.
jobs.bnymellon.com.jibeapply.com.

dig +short CAA www.bnymellon.com.
bny-mellon-prod-1338547636.us-east-1.elb.amazonaws.com.

For comparison:

dig +short CAA google.com.
0 issue "pki.goog"

dig +short CAA facebook.com.
0 issue "digicert.com"

OR
I may be totally wrong, and that is just a side-effect of using CNAMEs - LOL
Let's ask an expert: @jsha

1 Like

IIRC that error is LE's internal policy for high profile domains, not CAA record. CAA not allowing create

CAA record for %s prevents issuance

error
a staff from LE need to override lock for domain to enable automated issuance. @lestaff

3 Likes

Correct. Jibe.com & jibeapply.com are my domains, but we don't have a CAA policy that would deny let's encrypt. I've issued LE certs to several other client domains that are cnamed to the same endpoints. We're hosting career portals for these customers and have started migrating domains to LE certs to reduce client friction with renewing certs annually. Of the 300+ certs that we are hosting, only a handful have CAA policies that deny LE. We're only generating new certificates as each come up for renewal. I'm still cleaning up the automation, but this is the first domain that was blocked by a policy that didn't appear to be defined via CAA record.

Hey orange, is there an api to test that a domain is on this policy list?

letsdebug.com checks it by asking for the domain to staging server, but I don't think they export domain list from it.
but before you keep digging I think you should talk with main IT security team of your bank and get permission for it.
CT log says all certificate for bnymelon.com subdomains are digicert EV except some cloudflare certificates on 2018. even test domain like jk-dmz-mig-testing3.qa.bnymellon.com uses it. I'm pretty sure it's their internal policy
https://crt.sh/?id=3663207525
https://crt.sh/?Identity=bnymellon.com&exclude=expired&match=LIKE

2 Likes

we're a vendor for the bank's hr group, I've never actually talked to the bank. we have middle men for that. I'll just add bnymelon to a new list of exclusion domains so that I'm not constantly trying to provision this domain that doesn't have CAA records.

thanks

3 Likes

@seawhy, we still have not heard anything officially from LE.
Let's give them some more time before you close the topic
@jsha @jillian

1 Like

Yep, @orangepizza is right - this message isn't related to CAA, it happens when we have a domain blocked. Most commonly that's because we've marked it as a high-risk domain. @seawhy, your approach of excluding that domain is the right one.

PS: Welcome to the forum!

4 Likes

@jsha i know that domains who were overzealously blocked can appeal to have the blocklist altered, but is there a mechanism for the legitimate high risk domain owners to work with letsencrypt? there was a thread about the Iranian ubuntu site being accommodated before, but I haven't heard of any finance companies.

2 Likes

Yep, but the request has to come from the owner of the main domain, not a vendor.

4 Likes