Hello, I am attempting to issue a certificate for the domain аналогпикабу.рф, but I receive the error: "urn:ietf:params:acme:error:rejectedIdentifier". Could you clarify if this domain is blacklisted or if there are other issues causing the error?
You're not giving us much to work with and I'm pretty sure you're not trying to develop an ACME client, so I don't know what made you post this thread in the Client dev section. I'm moving this to the Help section for now, as it could go multiple ways, see below.
Looking at the source code of the ACME server, the error you've shown can be one of two things:
errPolicyForbidden = berrors.RejectedIdentifierError("The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy"), orerrInvalidRLDH = berrors.RejectedIdentifierError("Domain name contains an invalid label in a reserved format (R-LDH: '??--')")
The output of your ACME client should provide you this extra information. If it's the first, then the domain might be blocked due to it being a high risk domain (such as banks et c.) or because it's on some kind of sanction list. If it's the second, then you might need to provide the correct punycode IDN.
Edit:
Looking at the output of LetsDebug at Let's Debug, I don't see any rejectedIdentifier error, so it might be just an incorrect punycode issue. That said, there are some other problems you might need to address, depending if you're actually using the http-01 challenge as I've tried.
Edit2:
The dns-01 challenge (Let's Debug) does not give any error, so unless the policy checking does not come up after the challenge, it probably is a punycode issue.
2 Likes
I tried to do it in fully manual mode: sudo certbot certonly --authenticator manual -v
I entered my email, created the domain, created the files and checked if they were available, but still got the error:
Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.
Cleaning up challenges
Some challenges have failed.
You're, again, not providing much information to work with. Certbot would have given you a way more helpful error message from the ACME client, but you've somehow managed to withheld the actual helpful error message.
Also, it's not recommended to use the manual authenticator, as it's not (easily) automatable. Depending on your setup, of which we have no knowledge yet, other methods are more suitable.
If you would have opened this thread in the Help section, you would have been provided with a questionnaire. Please fill out the questionnaire below to the best of your knowledge:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2 Likes
Sorry.
My domain is: "аналогпикабу.рф" - (аналогпикабу.рф)
I ran this command: sudo certbot --apache -d аналогпикабу.рф -d www.аналогпикабу.рф
It produced this output:
"Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for аналогпикабу.рф and www.аналогпикабу.рф
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.аналогпикабу.рф
Type: connection
Detail: 95.211.28.176: Fetching http://www.аналогпикабу.рф/.well-known/acme-challenge/wsUlk-5UBI3_jsYkYZW3WwgWfnqGxa-zd7xxlXYnfL8: Error getting validation data
Domain: аналогпикабу.рф
Type: connection
Detail: 95.211.28.176: Fetching http://аналогпикабу.рф/.well-known/acme-challenge/iZXDnuBpBYmCb8_gPzPxRlLTdpz__lqrd3MRbiC_X6M: Error getting validation data
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details."
My web server and OS is : Server version: Apache/2.4.62 (Debian 12)
Server built: 2024-10-04T15:21:08
The version of my client is: certbot 2.1.0
I used punycode for my domain
This is in line with the report from LetsDebug (Let's Debug):
@0ms: Making a request to http://xn--80aaaei4aofqmm6c.xn--p1ai/.well-known/acme-challenge/letsdebug-test (using initial IP 95.211.28.176)
@0ms: Dialing 95.211.28.176
@28ms: Experienced error: dial tcp 95.211.28.176:80: connect: no route to host
It seems there is no connection possible to the IP address 95.211.28.176: are you sure it's corect? I'm getting a "Destination Host Prohibited" when I try to ping it. Perhaps a firewall if it's indeed the correct IP address?
3 Likes
IPtables disable ping
just 80, 443 ports is open
That explains the ping response. But access to port 80 is also blocked:
server ~ # traceroute -T -p 80 95.211.28.176
traceroute to 95.211.28.176 (95.211.28.176), 30 hops max, 60 byte packets
1 192.168.x.x (192.168.x.x) 0.416 ms 0.460 ms *
2 x-x-x-x.my.isp.example.net (x.x.x.x) 10.378 ms 10.337 ms 10.296 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 95.211.28.176 (95.211.28.176) 15.323 ms !X 13.900 ms !X 14.081 ms !X
server ~ #
Notice the !X responses from your IP address, which according to the man traceroute info means: "communication administratively prohibited".
Same for port 443 by the way. Or any port for that matter.
1 Like
And now?
In the course of many attempts to generate a key, at one point I started getting an error:
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Make sure that the domains listed point to this Apache server and that it is accessible from the Internet
Also:
An unexpected error occurred:
AttributeError: unable to set attribute
Also, but this is when trying to use acme:
Error when creating a new order. Le_OrderFinalize not found. { “type”: “urn:ietf:params:acme:error:rejectedIdentifier”, “status”:400, “detail”: “DNS Identifier Denied [аналогпикабу.рф]"}.
Make sure you have a connectable, working website before using the http-01 challenge. Alternatively you could use the dns-01 challenge, but it's more difficult to automate and, assuming you need the certificate for your website, it wouldn't help you much if your website is still unreachable due to the "communication administratively prohibited" problem.
Again, not the helpful error message from the ACME server.
Please update Certbot to at least 2.3.0 to get rid of that issue.
Not sure what you mean by "use acme"?
4 Likes
Thank you so much! You've given me a solution. The problem was indeed in the firewall.
Thanks again and have a good day!
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.