Domain block scope question

Hi Team,

Recently, I found that queue-syd.shop.samsung.com is blocked so the certificate cannot be issued.
According to the following debug information, the domain is blocked because it is forbidden by policy.

https://letsdebug.net/queue-syd.shop.samsung.com/216330
Error creating new order :: Cannot issue for “queue-syd.shop.samsung.com”: The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy

I found “We block a number of particularly high-profile domains from getting certificates from Let’s Encrypt by default” from following url.

Question is two things.

  1. The forbidden policy is top level domain wise or specific host wise?
  2. Is there any list to see blocked domain from my side? Otherwise, always I need to check debug information to see if there is blocked or not.

Thank in advance.
Hwaseob

1 Like

Hi @simnow7 ,

Disclaimer first: I’m not an employee, so my words are reference only.

I think the forbidden policy are blocking at least the entire domain, sometimes TLDs if required? (I don’t think some people who use samsungtext.example.com will get blocked, if example.com is not one of the domains on that list)

In short, no. I guess it’s probably not good to disclose specific domains/TLDs that are blocked, just like you won’t want your ID/SSN numbers to get leaked in associate with your whole personal information (although that’s definitely loosely related, overall it’s not a good idea).

P.S. If my memory serves right, there’s ways to permit accounts to issue to these domains. I think you’ll need the actual domain owner (in this case, Samsung) to contact Let’s Encrypt and explicitly allow you to issue certificates. There might be more steps in, so definitely tag someone in @lestaff group if you want that option.

Thank you

2 Likes

Is this causing trouble for you as a Let’s Encrypt integrator?

You can detect this scenario by trying to create a new order and looking for a specific type of error: urn:ietf:params:acme:error:rejectedIdentifier. This is a permanent error, so upon seeing it, you could immediately notify the user or administrator of the problem.

That is to say, you could detect it in your normal process of obtaining certificates - a separate check doesn’t seem necessary.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.