Having issue with letsencrypt

cskaruppu · December 19, 2020, 12:21am

Hi, I am working on installing letsencrypt on site kxan36news.com and all time says with below error.

Can somebody assist here to complete the setup?

=========================
equesting a certificate for kxan36news.com, www.kxan36news.com, mail.kxan36news.com from Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "kxan36news.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy (and 2 more problems. Refer to sub-problems for more information.)
Please see the logfiles in /var/log/letsencrypt for more details.
   DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "kxan36news.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy (and 2 more problems. Refer to sub-problems for more information.)
Please see the logfiles in /var/log/letsencrypt for more details.
==========================

Regards,
Support Tech

schoen · December 18, 2020, 11:47pm

Hi @cskaruppu,

Here are some things to think about:

I don't know offhand what the "forbidden by policy" reason is, but you can write to security@letsencrypt.org to ask about that.

cskaruppu · December 18, 2020, 11:52pm

Yes, site is pointed back to cloudflare DNS as letsencrypt is started giving issue during installation. Any reason for the forbidden error ?

_az · December 19, 2020, 12:02am

I think the owner of the domain will have to email Let's Encrypt to find that out.

The most recent Let's Encrypt certificate for your domain was revoked on 2020-11-05 with reason "Unknown". Presumably the domain name was blacklisted at that time.

Sometimes it's possible to know the reason for the blacklisting (if it's on the OFAC SDN sanctions list, or is very obviously a high-risk domain), but there doesn't seem to be any obvious reason in this case.

JimPas · December 19, 2020, 12:30am

Is it possible the server TOS has changed since you last agreed to it? That could result in a failure to create a cert.

griffin · December 19, 2020, 12:33am

Might want to consider just using a Cloudflare Origin CA certificate...

josh · December 19, 2020, 4:52am

We have blocked issuance to the domain in question for legal reasons. The only information I can provide about the situation is that we have strong reason to believe that it is closely associated with a Specially Designated National entity.

system · January 18, 2021, 4:53am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.