Having issue with letsencrypt

Hi, I am working on installing letsencrypt on site kxan36news.com and all time says with below error.

Can somebody assist here to complete the setup?

=========================
equesting a certificate for kxan36news.com, www.kxan36news.com, mail.kxan36news.com from Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "kxan36news.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy (and 2 more problems. Refer to sub-problems for more information.)
Please see the logfiles in /var/log/letsencrypt for more details.
   DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "kxan36news.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy (and 2 more problems. Refer to sub-problems for more information.)
Please see the logfiles in /var/log/letsencrypt for more details.
==========================

Regards,
Support Tech

2 Likes

Hi @cskaruppu,

Here are some things to think about:

I don't know offhand what the "forbidden by policy" reason is, but you can write to security@letsencrypt.org to ask about that.

2 Likes

Yes, site is pointed back to cloudflare DNS as letsencrypt is started giving issue during installation. Any reason for the forbidden error ?

1 Like

I think the owner of the domain will have to email Let's Encrypt to find that out.

The most recent Let's Encrypt certificate for your domain was revoked on 2020-11-05 with reason "Unknown". Presumably the domain name was blacklisted at that time.

Sometimes it's possible to know the reason for the blacklisting (if it's on the OFAC SDN sanctions list, or is very obviously a high-risk domain), but there doesn't seem to be any obvious reason in this case.

2 Likes

Is it possible the server TOS has changed since you last agreed to it? That could result in a failure to create a cert.

1 Like

Might want to consider just using a Cloudflare Origin CA certificate...

2 Likes

We have blocked issuance to the domain in question for legal reasons. The only information I can provide about the situation is that we have strong reason to believe that it is closely associated with a Specially Designated National entity.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.