Error creating new authz :: "domain" was considered an unsafe domain by a third-party API

gabsoftware · August 5, 2016, 12:06pm

Hello,

I have several domains on a VPS. I renewed all my certificates already, except for one domain, renewing fails and tells me that my domain is “unsafe”. I don’t know why, how, and by who my domain have been flagged as “unsafe”. Everything went fine for my other domains. I don’t know what to do for this particular domain. Please help!

My domain is: geekfeed.me

I ran this command: ./letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory -d geekfeed.me -d ftp.geekfeed.me -d mail.geekfeed.me -d webmail.geekfeed.me -d www.geekfeed.me

It produced this output:
An unexpected error occurred:
The client lacks sufficient authorization :: Error creating new authz :: “geekfeed.me” was considered an unsafe domain by a third-party API
Please see the logfiles in /var/log/letsencrypt for more details.

My operating system is (include version): Debian 7.11

My web server is (include version): Apache 2.2.22

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

gabsoftware · August 5, 2016, 12:21pm

Here is what is in the log:

2016-08-05 12:03:27,770:DEBUG:certbot.main:Root logging level set at 30
2016-08-05 12:03:27,772:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-08-05 12:03:27,773:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
2016-08-05 12:03:27,828:DEBUG:certbot.main:certbot version: 0.8.1
2016-08-05 12:03:27,829:DEBUG:certbot.main:Arguments: ['--server', 'https://acme-v01.api.letsencrypt.org/directory', '-d', 'geekfeed.me', '-d', 'ftp.geekfeed.me', '-d', 'mail.geekfeed.me', '-d', 'webmail.geekfeed.me', '-d', 'www.geekfeed.me']
2016-08-05 12:03:27,830:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-08-05 12:03:27,873:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2016-08-05 12:03:28,579:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#apache): Apache plugin support requires libaugeas0 and augeas-lenses version 1.2.0 or higher, please make sure you have you have those installed.
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/plugins/disco.py", line 105, in prepare
    self._initialized.prepare()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot_apache/configurator.py", line 175, in prepare
    "Apache plugin support requires libaugeas0 and augeas-lenses "
NotSupportedError: Apache plugin support requires libaugeas0 and augeas-lenses version 1.2.0 or higher, please make sure you have you have those installed.
2016-08-05 12:03:28,584:DEBUG:certbot.plugins.selection:Multiple candidate plugins: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x27377d0>
Prep: True

* standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x2738410>
Prep: True
2016-08-05 12:03:30,692:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x2738410> and installer None
2016-08-05 12:03:30,920:DEBUG:certbot.main:Picked account: <Account(xxxxxxxxxxxxxxxxxxxx)>
2016-08-05 12:03:30,923:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-08-05 12:03:30,936:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-08-05 12:03:31,308:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 280
2016-08-05 12:03:31,312:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '280', 'Expires': 'Fri, 05 Aug 2016 12:03:31 GMT', 'Boulder-Request-Id': 'xxxxxxxxxxxxxxxxxxxxx', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Fri, 05 Aug 2016 12:03:31 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxxxxxxxxxxxxxxxxxxxxxx'}. Content: '{\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2016-08-05 12:03:31,312:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '280', 'Expires': 'Fri, 05 Aug 2016 12:03:31 GMT', 'Boulder-Request-Id': 'xxxxxxxxxxxxxxxxxxxxxxxx', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Fri, 05 Aug 2016 12:03:31 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxxxxxxxxxxxxxxxxxxxxxxx'}): '{\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2016-08-05 12:03:31,382:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2016-08-13 11:55:00 UTC.
2016-08-05 12:03:31,382:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2016-08-05 12:03:31,383:DEBUG:root:Requesting fresh nonce
2016-08-05 12:03:31,383:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-08-05 12:03:31,633:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2016-08-05 12:03:31,636:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '91', 'Pragma': 'no-cache', 'Boulder-Request-Id': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'Expires': 'Fri, 05 Aug 2016 12:03:31 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Fri, 05 Aug 2016 12:03:31 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'xxxxxxxxxxxxxxxxxxxxxx'}. Content: ''
2016-08-05 12:03:31,637:DEBUG:acme.client:Storing nonce: 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
2016-08-05 12:03:31,637:DEBUG:acme.jose.json_util:Omitted empty fields: combinations=None, challenges=None, expires=None, status=None
2016-08-05 12:03:31,637:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "geekfeed.me"}, "resource": "new-authz"}
2016-08-05 12:03:31,639:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), typ=None, jwk=None, alg=None, jku=None, cty=None, x5tS256=None, x5u=None, x5t=None
2016-08-05 12:03:31,648:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), typ=None, jku=None, cty=None, x5tS256=None, x5u=None, x5t=None, nonce=None
2016-08-05 12:03:31,649:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}}, "protected": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "payload": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "signature": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}'}

2016-08-05 12:03:31,875:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 403 172
2016-08-05 12:03:31,884:DEBUG:root:Received <Response [403]>. Headers: {'Content-Length': '172', 'Boulder-Request-Id': 'xxxxxxxxxxxxxxxxxxxxx', 'Expires': 'Fri, 05 Aug 2016 12:03:31 GMT', 'Server': 'nginx', 'Connection': 'close', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Pragma': 'no-cache', 'Boulder-Requester': '8336', 'Date': 'Fri, 05 Aug 2016 12:03:31 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'xxxxxxxxxxxxxxxxxxxxxxx'}. Content: '{\n  "type": "urn:acme:error:unauthorized",\n  "detail": "Error creating new authz :: \\"geekfeed.me\\" was considered an unsafe domain by a third-party API",\n  "status": 403\n}'
2016-08-05 12:03:31,887:DEBUG:acme.client:Storing nonce: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
2016-08-05 12:03:31,887:DEBUG:acme.client:Received response <Response [403]> (headers: {'Content-Length': '172', 'Boulder-Request-Id': 'xxxxxxxxxxxxxxxxxxxxxx', 'Expires': 'Fri, 05 Aug 2016 12:03:31 GMT', 'Server': 'nginx', 'Connection': 'close', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Pragma': 'no-cache', 'Boulder-Requester': '8336', 'Date': 'Fri, 05 Aug 2016 12:03:31 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'xxxxxxxxxxxxxxxxxxxxxxxx'}): '{\n  "type": "urn:acme:error:unauthorized",\n  "detail": "Error creating new authz :: \\"geekfeed.me\\" was considered an unsafe domain by a third-party API",\n  "status": 403\n}'
2016-08-05 12:03:31,890:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 744, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 555, in obtain_cert
    _, action = _auth_from_domains(le_client, config, domains, lineage)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 91, in _auth_from_domains
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 237, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 247, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 64, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 217, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 197, in request_challenges
    new_authz)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 656, in post
    return self._check_response(response, content_type=content_type)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 572, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: "geekfeed.me" was considered an unsafe domain by a third-party API

tialaramex · August 5, 2016, 12:57pm

Although they (and I) would prefer that CAs could just do the role of issuing certificates with the right names to the right people, Let’s Encrypt is currently obliged by the rules of the Trust Stores (without which their certificates would not be trusted in your OS or web browser) to provide some sort of protection against issuing to sites which deliver malware and suchlike.

They use the Google Safe Browsing API to do this. You will most likely find that your site is considered to be unsafe by the Google Safe Browsing system, and if you validate your control of the site you should find Google are able to explain why and maybe help you to fix it.

I hope that helps.

leader · August 5, 2016, 1:23pm

https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=en#url=geekfeed.me

geekfeed.me contains deceptive content.

Attackers on this site might try to trick you to download software or steal your information (for example passwords, messages, or credit card information).

gabsoftware · August 5, 2016, 1:41pm

Wow you are right! Turns out that some ads were really nasty! Now trying to solve the problem…

gabsoftware · August 5, 2016, 1:44pm

Yes thanks, I try to solve this problem now. As an advice, don’t use anything else than Adsense because you’re always disapointed one day or another.

system · September 4, 2016, 1:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.