Domain on Restricted List - LetsEncrypt Not Able to Issue Certificate


#1

Please fill out the fields below so we can help you better.

My domain is: participare.mastercard.ro

I ran this command: letsencrypt-auto -d participare.mastercard.ro

It produced this output: Obtaining a new certificate
An unexpected error occurred:
Policy forbids issuing for name

My operating system is (include version): Centos 7.1

My web server is (include version): Apache 2.4

My hosting provider, if applicable, is: GTS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No control panel


Extended checks if domain already has a EV certificate
#2

mastercard.ro belongs to mastercard

as credit card companies are often targets of man in the middle and social engineering attacks there is a list of domains which certificate authorities such as letsencrypt are not allowed to issue certificates for

why are you trying to request a certificate under the mastercard romania top level domain?

if you work for mastercard then you need to go talk to your security team on how to obtain a certificate

Andrei


#3

Hi,

We will buy a certificate. It seems a much more simpler solution :slight_smile:

Thank you,


#4

i don’t think you understand what i am trying to explain to you

no certificate authority will issue you a certificate under mastercard.ro (even if you “buy” it) as it’s a special domain

Andrei


#5

much like no certificate authority will issue any certificates under cia.gov or microsoft.com


#6

From Mastercard: As this website is hosted locally and not within the Mastercard infrastructure you can get your SSL certificate by yourself and install it on your server. We’ll see… :slight_smile:


#7

I don’t know exactly how Let’s Encrypt handles this situation. Usually people are inadvertantly caught by the domain name filter (“Master Card, Bucharest’s oldest greeting card and gift shop…”); they don’t actually represent the billion dollar company in question…

This came up about a month ago with another company:

The company and Let’s Encrypt discussed it, but i don’t know what the final result was.

You may be able to work something out, but it will probably take a little time.

@cpu: Ping. @bootika is looking for a certificate for a Mastercard domain.

@ahaw021 If no CA ever issued certificates for prominent organizations, those organizations wouldn’t be using certificates right now. It just requires more red tape, and maybe some CAs won’t do it at all.


#8

hi @mnordhoff

https://www.mastercard.ro is the romanian mastercard page

if you browse to http://participare.mastercard.ro/ it looks like a promo page (once again using mastercard logo)

if you have a look at the terms and conditions they are also master card related

looks like a promo for using master card at a shopping mall so will fall within the guidelines of not issuing certifcates

i don’t claim to be an expert but we used to work with government organisations which used to get wildcard certificates from one provider only to avoid this kind of issue.

Andrei


#9

I resolved the issue by buying a certificate… Thank you for imput :slight_smile:


#10

in this case since it isn’t an accidental over-inclusion (e.g. a case where foo.com was a high value domain but foo.zoo was blocked as a permutation) but a true hit on a high value domain the process for removal would require more work to resolve than is typical for these issues (Someone from Mastercard’s legal department would have to get in touch with us).

Glad you were able to find a solution! This was probably the simplest route for this particular case.

Take care,


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.