Error creating new cert :: policy forbids issuing for: "comptoir general de robinetterie"



We have tried many times to generates cert with zerossl service for our domain , now when we try to generate any cert, we have the error :

Error creating new cert :: policy forbids issuing for: “comptoir general de robinetterie”

After a a tour on the forum, we suspect that we have tried too many times …

Is somebody can help us,



Hi @CGR_company,

You should check the ZeroSSL manual and confirm you’re entering the domain name correctly. This error is saying the CA won’t issue for the domain "comptoir general de robinetterie", which makes sense since that’s not a domain name at all! I suspect you’re providing the domain input in the wrong place and the client is sending that string instead.

The error you’ve shared (maybe there are others you haven’t shared?) doesn’t indicate that. It’s strictly based on the domain name being invalid.

You should definitely be using the staging environment while you get this working so you won’t run into the rate limits.

hope this helps!


One possibility is using ZeroSSL with your own CSR file, which has been filled in incorrectly (maybe swapping the X.509 CN and OU fields or something).


As @schoen correctly mentioned above, it is very likely that CSR was generated elsewhere and it was not created correctly.

When CSR is generated by ZeroSSL, such fields as Organization, Organizational Unit and the like (which might have the text you have quoted) are not used. Additionally, if you attempted to enter “comptoir general de robinetterie” as a domain name, you would see an appropriate error popup, indicating than neither of those words is a valid domain name.

The OU and similar fields can be added to a CSR via on-site CSR Generator but that text would trigger the same error message there if entered into wrong input and if entered into the right one, that would not return the originally quoted error message from LE.

P.S. If this is indeed the case of CN set in this way on a pre-generated somewhere CSR, I might add an additional check for that. Currently ZeroSSL actually runs the basic validation against SAN on a provided CSR to ensure that the names are set with type 2 (DNS), so for example if someone puts IPs or emails into SAN, there will be an appropriate error shown. The case of placing some text into CN itself did not seem to have happened before (at least no one raised that as an issue), but I guess it won’t hurt to do some basic check for that too.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.