Error creating new authz. Policy forbids issuing for name

Can not generate certificate for one domain and its subdomains. About 200-300 other domain certificates was generated successfully. Could you help to resolve this problem?

My domain is:,,,

I ran this command: --issue -d -w /var/lib/

It produced this output:
[Sat Jul 22 15:48:54 +05 2017] Registering account
[Sat Jul 22 15:48:56 +05 2017] Already registered
[Sat Jul 22 15:48:58 +05 2017] Update success.
[Sat Jul 22 15:48:58 +05 2017] Single domain=‘
[Sat Jul 22 15:48:58 +05 2017] Getting domain auth token for each domain
[Sat Jul 22 15:48:58 +05 2017] Getting webroot for domain=‘
[Sat Jul 22 15:48:58 +05 2017] _w=’/var/lib/’
[Sat Jul 22 15:48:58 +05 2017] Getting new-authz for domain=‘
[Sat Jul 22 15:48:59 +05 2017] The new-authz request is ok.
[Sat Jul 22 15:48:59 +05 2017] new-authz error: {“type”:“urn:acme:error:rejectedIdentifier”,“detail”:“Error creating new authz :: Policy forbids issuing for name”,“status”: 400}
[Sat Jul 22 15:48:59 +05 2017] Please check log file for more details: /var/log/

That error occurs when the domain being issued for is on the “high risk target” list, or some other “it’s not a good idea to issue certificates for these domains” list. If you search on here for “Policy forbids issuing for name” you’ll find a number of topics discussing the reasons (and the reasons for the reasons).

You can also talk to @cpu about whether this restriction can possibly be removed.


Hi @Scorcher,

I’ve started the process to allow issuance for domains. This usually takes ~7-14 days and I will update this thread when the change has been made.

Thanks for your patience!

1 Like has been removed from the high risk blacklist. You should be able to issue for this domain now.


Thank you! Now, i am successfully generate certificates for these domains.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.