Error creating new authz :: Name is blacklisted


#1

I got an error running the last client commit
I have tried once yesterday and twice today with updated client.

Command line output:

Updating letsencrypt and virtual environment dependencies......
Running with virtualenv: sudo /Users/user.name/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -d javali.globo.com
Password:
An unexpected error occurred.
Error: unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Name is blacklisted
Please see the logfiles in /var/log/letsencrypt for more details.

log:

2015-11-05 16:44:46,917:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "okYPzU34fqoOVjDnnBXsqK1Wr-owwXW9C90gjvQP1piEW-vjMP0FbM2cKN_sqJTsnZwHhxQieAI0tm1F9j1soe7BbgUorVdecO1Bw6TS77QRmxukcXk5REovAgbX13ArAVrgRwM1ZHlJLtYMvfEvLBxkUOj82SoBU6JGLpNWKS5XNoZZMltLJVu3bivWlS3KeZR7SeAKWMQE1NLHnm-85DkYYlfFCQi9B7rODxpGQjyg795opNeX0obSZxubPXlT90jT975wVyp-nVAzBcT1XsFRtMM8RpMtRRYmLPl2dTjKiF0mKO7IDE22OYIp9n4XSKWXLcFObAwhXELdU_vJCQ"}}, "protected": "eyJub25jZSI6ICJ4bTQ1bW9kMDRKOUpXelU0VjIyUUZUZTB0X1daT2dIN3dOR0VlWU8yOW1VIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJqYXZhbGkuZ2xvYm8uY29tIn0sICJyZXNvdXJjZSI6ICJuZXctYXV0aHoifQ", "signature": "iKyheFL0nj-xD4ig7vKJzVcE1lMkN_CVTpKrIvMTIjyr3xl37tVgRA-W5Vh3_RKPQn6-vDn53MQQB6Zs_4GMULPBvNHpv3XQUBEfLyQlbQRb4b0RgTytRQHbG1-6PY_nuljbUuuBW1u9hJ3x6-EghcO1CL4Zv4eNQZ8ekIciqUj2TkMi7iomKSqXPaMWNDuQDxhsF9k_Ps8kQIvpFv6fNk6zY1Es1ny58tshprOfSNpf_GOXiNzrVmffsM-Tyj4w4SPoJXTK3wdJUC0qC1zOgMtWIw-HGRGljLEPFnP0cE9On-l_HXE7uaOf67yF7avNCDx86wzV6cSYNRLeJsqp9w"}'}
2015-11-05 16:44:46,920:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-05 16:44:47,284:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 403 97
2015-11-05 16:44:47,290:DEBUG:root:Received <Response [403]>. Headers: {'Content-Length': '97', 'Expires': 'Thu, 05 Nov 2015 16:44:47 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 05 Nov 2015 16:44:47 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'K4siXeEAdHb1Cu7x2Qss3k5M-nUJ9-IkOPFOS7yF30M'}. Content: '{"type":"urn:acme:error:unauthorized","detail":"Error creating new authz :: Name is blacklisted"}'
2015-11-05 16:44:47,290:DEBUG:acme.client:Storing nonce: '+\x8b"]\xe1\x00tv\xf5\n\xee\xf1\xd9\x0b,\xdeNL\xfau\t\xf7\xe2$8\xf1NK\xbc\x85\xdfC'
2015-11-05 16:44:47,290:DEBUG:acme.client:Received response <Response [403]> (headers: {'Content-Length': '97', 'Expires': 'Thu, 05 Nov 2015 16:44:47 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 05 Nov 2015 16:44:47 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'K4siXeEAdHb1Cu7x2Qss3k5M-nUJ9-IkOPFOS7yF30M'}): '{"type":"urn:acme:error:unauthorized","detail":"Error creating new authz :: Name is blacklisted"}'
2015-11-05 16:44:47,292:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/Users/vicente.fiebig/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 1138, in main
    return args.func(args, config, plugins)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 490, in obtaincert
    _auth_from_domains(le_client, config, domains, plugins)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 328, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains, plugins)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 229, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 212, in obtain_certificate
    return self._obtain_certificate(domains, csr) + (key, csr)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 170, in _obtain_certificate
    authzr = self.auth_handler.get_authorizations(domains)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 74, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 215, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authz_uri)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 195, in request_challenges
    response = self.net.post(new_authzr_uri, new_authz)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 624, in post
    return self._check_response(response, content_type=content_type)
  File "/Users/vicente.fiebig/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 542, in _check_response
    raise messages.Error.from_json(jobj)
Error: unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Name is blacklisted

#2

This is #143 in the Alexa Top 1000 (congrats!), so it’s ineligible for the beta program as it stands right now.

Update: Our blacklist is no longer based on the Alexa Top 1000.


#3

but why is the top 1000 blocked, even if it’s just the beta?


#4

Ok, thanks. I will wait for the release : )


#5

I guess it’s because top sites have high visits which would give LE servers too many pressure :wink:


#6

why would the LE server get too much pressure? OCSP stapling and that’s it.


#7

Not everyone will staple, and others – such as myself – will bang our heads fruitlessly against our server configs trying to figure out why in &$*@ we can’t get stapling to work.


#8

yeah but i wonder if LE servers have been load tested to ensure it can handle GA/public release load ?


#9

Load test? Do people still do that? I thought the in vogue thing these days was to just throw cloudware at bottlenecks.


#10

well come GA public live release when it’s opened up, it would essentially be load tested heh


#11

Yup and you can not do any more accurate load test than real live activity. Just ask the folks at healthcare.gov. They have first hand expertise at this. If bottlenecks show up just throw some cloudware at it.


#12

We have a blacklist in place as an added layer of protection against mis-issuance for high-risk domains (those which are more likely to be maliciously targeted for mis-issuance).

It doesn’t have to do with concerns about load on our systems, as people suggest in this thread. We prefer that sites use OCSP stapling, but even if they don’t our OCSP responses are handled by Akamai.


#13

cloudapp.net is the Azure domain, which is unfortunate as it hosts all my VMs. Do you intend to make this available later?


#14

Same issue as Omaristalis.


Couldn't issue certificate; may be blacklisted
#15

We’ve been on Azure for several years, and have mapped custom domains to cloudapp.net using CNAME records as well as mapped to the IP address, since it is issued at the time your VM or compute slot is originally created, and does not change, unless you delete the slot.

For the purpose of issuing certs, you can’t verify control of cloudapp.net domains, because Microsoft owns (and therefore controls) the domain. So, order your own domain, instead, and map it to cloudapp.net. Then, you can verify control for cert issuance. That’s how we do it now.

We are expectantly watching progress of Let’s Encrypt, and look forward to starting testing of adding certs to our non-production environment. We also have a lot of B2B customers who could leverage Let’s Encrypt, and as this gets stable, we’ll definitely look to recommending integration.


Azure support (cloudapp.net)
#16

Makes perfect sense, thank you. Created a domain and yes, certificate creation using the tool was flawless.