I cant update my SSL for my domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kxan36news.com

I ran this command: I try to get an SSL for my domain but l get this error :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for kxan36news.com and www.kxan36news.com
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "kxan36news.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy (and 1 more problems. Refer to sub-problems for more information.)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

It produced this output:

My web server is (include version): webmin 2.202

The operating system my web server runs on is (include version): ubuntu 24

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

This usually means the domain is in the special list of protected domains, or you're in treasury's sdn list.

And this is what I am seeing for DNS

image1290×2796 205 KB

We have blocked issuance to the domain in question for legal reasons. The only information I can provide about the situation is that we have strong reason to believe that it is closely associated with a Specially Designated National entity.

but you have like 3 different valid certificates from different CAs when I looked at crt.sh, where all of those gone?

I dont understand very much about what you are saying.
what should l do? please advise me.

what that means?

It means you're under sanctions from the us government and companies in the us can't do business with you.

If kxan36news.com is one of the domain names of KXAN-TV - Wikipedia (not sure, didn't check, domains nameservers are also currently broken), I'm preeeeetty sure they're not on the SDN list of the US Treasury.

I think it's more likely KXAN and variants thereof have been tagged as high risk. We should wait for a Let's Encrypt crewmember for more information.

See below.

the thread I linked is about this exact domain, so I think ISRG do think this domain is from someone on SDN.

Ah, wow, that's interesting. I didn't check if a thread from 5 years ago literally matched the domain name of this thread Thanks for the clarification.

And with "closely associated" it makes sense it wouldn't be found directly on the SDN.

I guess the domain owners legal team should contact the LE legal team for clarification, if they want that (again?) 5 years later.