Domain blocked by let's encrypt

my OVH domain is blocked by Let’s Encrypt. Impossible to cancel the ssl generation. the site is totally safe and i don’t know why SSL can’t run on it.

My domain is:

Thank you for you help

Hi @narrative

please explain.

All answers of the template questions are required.

It’d be because it’s a public suffix: (

i desactivate the SSL demand on TLD domain and try it only on www but ovh ssl generation still running on the server. i asked them to cancel it but no answer.

hi everyone

ovh SSL demand seems to be blocked by let’s encrypt
My domain is:

i have the and on a ovh multiste.
i asked for a let’s encrypt SSL but the command was running for days. then today i want to stop the command and run it on the www domain only. maybe it works after that but ovh say that it is impossible to stop the command until let’s encrypt unblock the domain…

My web server is (include version): OVH cluster028

The operating system my web server runs on is (include version): apache php 7.2

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine

I’m using a control panel to manage my site : ovh control

thank you for your help

How exactly did they say this? Because this does not make any sense.

If you could ask OVH to produce the exact error message behind their claim that Let’s Encrypt has blocked them, that would be helpful.

1 Like

here is what they say first : "Le blocage que vous rencontrez dans la création du certificat SSL ne provient pas de l’hébergement utilisé, mais du domaine qui est bloqué auprès de Let’s Encrypt (l’organisme délivrant les certificats SSL). Dans votre cas, il est nécessaire de vous rapprocher de Let’s Encrypt pour savoir pourquoi ce domaine est bloqué et comment corriger cela auprès d’eux.

Sans action réalisée de leur côté, nous ne pourrons pas agir à notre niveau."

Now i came back to them and ask again to stop it. They say they will ask to the ovh administrators to see if it is possible…

“Je vérifie si cela est possible avec nos administrateurs. Je vous tiens informé.”

2 days asking that…

It makes sense to me. You misinterpreted this link – is not a public suffix, it’s a government suffix and blacklisted.

running locally…

sudo certbot certonly --standalone -d

the results:

An unexpected error occurred:
Error creating new order :: Cannot issue for "": Domain name is an ICANN TLD

This requires LetsEncrypt staff (possibly likely the security staff) to handle.

adding… the ACME error in the log file is:

Error: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "": Domain name is an ICANN TLD

It is a pubic suffix because it’s on the PSL (ignoring for a moment the ICANN/private distinction).

A blacklisted domain produces a different ACME error (forbidden by policy). That error can be excepted by Let’s Encrypt, but the PSL one (is an ICANN TLD) can’t be.

To clarify my earlier post: a certificate can be issued for, as it does not run afoul of being a public suffix. Which is what @narrative is trying to do:

All OVH needs to do is to remove the base domain from its ACME order (keeping only the www. subdomain), and they will get a certificate. I am not sure what other “blocking” could be taking place.

Reading the OVH support response, I think the support rep. just might not be grasping that only the base domain is blocked. That, or OVH’s load balancer doesn’t support removing the base domain.

First off, you are correct. I was wrong.

These errors are very confusing. is an ICANN TLD does not suggest it is a PSL error.

1 Like

I don’t disagree :smiley: .

@_az thank you so much you were very helpful.
thanks to you, i understood the pb and learnt something today.
now ovh stopped the let’s encrypt coand and i am looking for a stronger ssl certificate for this TLD.
Thanks again

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.