Domain Blacklisted

Hey,

I just tried to renew the SSL Certificate for the Iranian Ubuntu Community and it says that it is blacklisted. Anyone can let me know how can I solve the problem and why is it happening at all?

./letsencrypt-auto renew
Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade renew
Processing /etc/letsencrypt/renewal/wiki.ubuntu.ir.conf
2016-02-16 19:01:46,607:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/wiki.ubuntu.ir.conf produced an unexpected error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: Name is blacklisted. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wiki.ubuntu.ir/fullchain.pem (failure)

I think the problem could be that ubuntu is considered as an critical domain that is blocked.
Sadly these critical domain name list is not public.

We tweaked our system of generating a list of high-risk domains in December. The new list expands name.com to name.TLD whenever the owner of name commonly registers it in each TLD. It looks like that was over-inclusive in this case. We’ll plan to fix it in the next couple weeks and get back to you when it’s ready. Apologies for the inconvenience.

1 Like

Great, thanks for your reply.

BTW, having a white list of domain names could be a good idea as well, for the cases which an exception is required.

Any update on this? Our certificates will be expired in 6 days.

1 Like

Hi,

Sorry for the delay in getting back to you, and thanks for the reminder. I’ve bumped the priority of this issue with our Ops team. I’ll do my best to get the fix rolled out in the next six days.

Thanks,
Jacob

Unfortunately our certificates are expired.

This is now fixed and you should be able to re-issue.

I really appreciate your help :slightly_smiling:

But it seems that it’s still not working on some of our subdomains. That’s the error I’m getting:

2016-03-05 22:42:23,839:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/wiki.ubuntu.ir.conf produced an unexpected error: urn:acme:error:malformed :: The request message was malformed :: Error creating new cert :: Policy forbids issuing for name paste.ubuntu.ir. Skipping.

That error comes from the CA component, as opposed to the RA component that was previously blocking your progress. Each component has its own copy of the blacklist. I’m guessing the CA’s copy was not properly updated. Following up with our ops team now. Thanks for your patience. :slight_smile:

Okay, I think we have that sorted. Try once more?

It worked perfectly. Thanks again for your efforts :slightly_smiling:

1 Like

You’re welcome! Glad to help.

Hello @jsha,

Is this still in effect? I am trying to create a certificate for the chilean WordPress community (wordpress.cl), and I get the same error message except that it ends with “Policy forbids issuing for name”.

Thank you for your help.

Yep, looks like you are getting hit (incorrectly) by the blacklist. I’ll do a little research and work on getting that fixed. It may take on the order of a month, given all the other activities on our plate.

Thanks,
Jacob

Thank you! I’ll try again in a month.

Hi @jsha,

I think I am getting the same problem. I am getting the Error creating new authz :: Policy forbids issuing for name when running certbot. I tried with a couple of different names (demo.wplanif.com and web2.wpred.com) and I get the same message for both.

This is strange because we do have other sites that successfully use LE certificates with the same wpred.com TLD.

Is this related to the blacklist as well ?

Looking at the logs, it appears the errors you’re getting are actually for a .members.linode.com domain. Linode.com is on the blacklist. I’d recommend double-checking your certbot invocation and logs.

Thank you @jsha for getting back to me.

I’m not sure why the requests are listed as coming from a .members.linode.com as we definitely use our own domain name (we are hosted on Linode though).

In any case, I played around with the config a bit and eventually got things working by calling certbot with the certonly option and modified the .conf files myself (and all is working now).

So once again, thank you very much, you got me on the right track!

maybe *.members.linode.com is the linode-set address for the server as default, no idea.