Error creating new authz :: Policy forbids issuing for name

I am a teaching staff in India. I need to get an SSL certificate for my website used for educational purpose. I have installed a bitnami server with Moodle application on it for my course delivery to College level Engineering students. I got the following error on my log file:
2017-07-27 10:14:58,860:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.14.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 742, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 682, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 82, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 344, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 313, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 66, in get_authorizations
self.authzr[domain] = self.acme.request_domain_challenges(domain)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 212, in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 191, in request_challenges
response = self.net.post(self.directory.new_authz, new_authz)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 674, in post
return self._post_once(*args, **kwargs)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 687, in _post_once
return self._check_response(response, content_type=content_type)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 574, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:rejectedIdentifier :: Error creating new authz :: Policy forbids issuing for name
How to proceed to get a validity?

What is your domain? It may have been blacklisted as a high-risk domain.

Hi @Boscar,

Please always fill out the requested new issue information when creating a help topic.

In particular we need to know the domain name(s) you are trying to issue for to help with this error.

As @Nekit mentioned (Thanks!) it may be that the domain is part of the high-value domain policy. The other explanation is that the domain you are trying to issue for is invalid (e.g. foo..com or something).

cpu:
Since I was quite hasty towards posting my issue I didn’t know your approach. I am very sorry. In fact, I was trying to add certificate for my AWS instance created for Moodle. Yesterday, suddenly something went wrong with my instance and I could never reboot and thus I had to stop and restart so my public IP has changed. Therefore today, I would be(hopefully) freshly installing and configuring my instance. After that I shall get back to you. Thanks a lot.

No need to apologize :slight_smile: Just something to know for next time.

Best of luck!

I first used the ./certbot-auto certainly --webroot -w /… /htdocs -d myxyzwebsite.in
I then got the keys and it was working well. But unfortunately I had my amazon hosted zone was also kept on. But I a couple of days back, first dealt with godaddy and paid for my domain registration. It was not working well as I could not get an appropriate technical help. By today evening everything went well and I could get intodns.com was showing green signal. In the night I was billed by amazon for my hosted zone - fearing that I simply deleted the hosted zone from amazon but your certbot I presume has set up the key from the amazon address or something and I got stuck. Now I learn that the go daddy is working without amazon but my SSL is not coming back because I think the certbot keeps only the old data. I retried once but the ssl is not certified in my browser. Can I delete the whole directory created by certbot? and redo as a fresh one? Thanks in advance.
Now I understood it is the subdomain that caused the problem. Now I got it working! Thanks a lot.

Do you get a certificate mismatch error (e.g. your domain is example1.com but your browser is seeing a LE certificate for example2.com) or a certificate untrusted error (e.g. your server is still serving a default self-signed cert)? Or both?

If you're not sure, please share with us the exact error you're seeing. This is the NET::ERR string shown by Google Chrome in small gray text, or the Technical Details section shown by Firefox, or the errors directly under "There is a problem..." in Internet Explorer, or directly under "Safari can't verify the identity..." in Safari.

Sure, but it rarely fixes anything. It seems more likely that your server isn't configured to use your certificate properly.

You used "certonly" mode which requires you to manually configure the certificate after issuing. Did you intend to use regular "run" mode so that you don't have to set up the certificate? If so, all you have to do is rerun certbot like so:

 sudo certbot run -a webroot -i [apache|nginx] -w /path/to/webroot -d example.in

If you did intend to set up your certificate manually, did you in fact do so after running certbot certonly? What exactly did you do?

Everything went on perfectly well. I got the solution for the later problem in name mismatch from the browser. That was because I didn’t force my domain name to get rid of www. I changed it in my .htaccess file in. my apache configuration, all went ok. There is no problem. Thanks again.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.