How does let's encrypt decide which subdomains to forbid issuing new certificates for?

I noticed that when requesting an SSL certificate with a HTTP-01 challenge for a subdomain of, such as I get the following error:

Error creating new order :: Cannot issue for "": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy

Where is this policy set? Can I get Let's Encrypt to forbid issuing certificates for my own subdomains? At first I thought this policy arose from CAA records, but that doesn't seem to be the case. No CAA record is set on, nor is it set on any of the parent domains.

Is this part of a private arrangement between AWS and let's encrypt? Or where is this configured?

Let's Encrypt maintains a list of high-risk domains (CPS § 4.2.1), which is the source of this error message. It's a very limited list and does not accept new entries, since domain owners can restrict issuance with CAA records.


It is highly unlikely that other CAs use this same list [or created their own lists with the same names in them]...
So, you may be able to switch to another FREE CA and get the cert you seek.

1 Like

Though even if he did get a certificate for that name, it's unlikely that he can do anything with it unless he works for AWS. Their S3 service doesn't allow one to install one's own certificates since Amazon has their own perfectly fine certificates for it. It's really unclear to me what this user is trying to actually accomplish, or if he was just using it as an example to show the "forbidden by policy" list.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.