How to work around blacklist?

I have a domain that I'm not able to issue certificate for due to blacklist. It is a well known public companies who uses our product. We are in direct communication with their IT team in charge of their DNS. Is there some DNS record or CAA record that can circumvent the blacklist? I'm unable to test since I don't own any domain names on the blacklist and I don't want to ask the customer to make any DNS change I'm not certain of.

3 Likes

If the company agrees to use Let's Encrypt certificates, I think that Let's Encrypt would be happy to remove the block. My understanding is that the request has to come from the company itself, though, not from a vendor or the like that just happens to have a subdomain cname'd to them. If the base domain has a letsencrypt.org entry in their CAA, that would probably help convince Let's Encrypt that the company is fine with it, I'd guess, but I don't know what the actual process is.

@lestaff: Is there some official guidance somewhere on how to reach out to you about companies that are currently on the don't-issue-for list that want to start using Let's Encrypt?

7 Likes

We block a number of particularly high-profile domains from getting certificates from Let's Encrypt by default. In order to remove the block, we need all of the following:

  1. An entity representative must email security@letsencrypt.org requesting the change, from an email address with the domain in question.

  2. The domain owner must submit a letter requesting addition or removal from the blocklist. The letter must include: Attorney Name, Firm Name, Firm Phone Number and Email Address, Firm Physical Address, Name of organization being represented, a request that specific domains be added or removed from our blocklist, date of request. The letter must be signed by a licensed attorney. It may be submitted as a scanned PDF file.

We are only able to entirely remove blocked domains. We cannot allowlist subdomains of a blocked domain.

If you would like to protect domains after a block is removed we can recommend adding CAA records.

8 Likes

Please note that this only applies if you're receiving this specific error message:

The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy

For questions about other types of blocking, please post here in the community forum. Thanks!

8 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.