I'm told I need an exception

I’m using SSLForFree.com and I’m trying to create a wildcard SSL for my domain with my own CSR and it won;t go. I’m told I need an exception for my domain and that I should ask here

Here’s what I get when I try to create it

CSR Domains do not match the domains specified to be secured. Remove domains from what is specified at the top of the verify page or add all specified domains to your CSR. This includes the www. or non www. version of your domain(s). Domains must match exactly. Specified domains are: *mydomain.com, mydomain.com

Full Error: { “type”: “urn:ietf:params:acme:error:unauthorized”, “detail”: “Error finalizing order :: Order includes different number of names than CSR specifies”, “status”: 403 }

any help is appreciated

Hi @domdis,

Did you type *mydomain.com instead of *.mydomain.com? The dot is part of the wildcard name.

Hmmm - did I type that into where

In SSLForFree.COM I enetered *.mydomain.com mydomain.com and pressed next. The screen dis[lays *.mydomin.com, mydomian.com

In the Openssl CSR file I typed

openssl req -new -newkey rsa:2048 -nodes -out mydomain_com.csr -keyout mydomain_com.key -subj “/C=us/ST=MyState/L=My City/O=My Company, LLC./OU=Information Technology/CN=*.mydomain.com/emailAddress=IT@MYDOMAIN.COM”

This may have something to do with:
Your csr request only covers the wildcard name (CN=*.mydomain.com).
And it does not include the SAN portion.

Hi @domdis,

As @rg305 said, you are not including all your domains in the CSR. You should use something like this:

openssl req -sha256 -nodes -new -newkey 2048 -keyout mydomain_com.key -out mydomain_com.csr -outform pem -subj "/CN=*.mydomain.com" -reqexts SAN -config <(echo -e "[req]\ndistinguished_name=req\n[req]\n[SAN]\nsubjectAltName=DNS:*.mydomain.com,DNS:mydomain.com")

Once done:

cat mydomain_com.csr

and paste the output into the right field in sslforfree.com site.


1 Like

OK I’m a NOOB You say “And it does not include the SAN portion.” I tried making a CSR with *.mydomain.com mydomain.com and I do believe I tried making the CSR using a comma to seaperate the two *.mydomain.com, mydomain.com

Neither worked

I asked SSLForFree they say I did everything right its just that I hit a blacklist by LetsEncrypt which requires an exception for certain domains that they safeguard. Usually it is domains of large organizations like google.com, amazon.com, etc.

Any suggest on how to create the CSR with both ?

Using a comma to separate them isn't supported.

If that's the only reason Let's Encrypt wouldn't issue a certificate, it would return a different error message. ("Policy forbids issuing for name.")

OpenSSL doesn't have a simple interface for writing a subjectAltName extension, but the command @sahsanu posted will do it.

1 Like

I missed that post - let me try it I was just looking up how to use a config file to do multiple subdomains which would probably be the same as you command with the redirect input

Hey now this worked - I added /C=us/ST=MyState/L=My City/O=My Company LLC/OU=Information Technology/ to the subject line but It worked

Thank YOU !

1 Like

CN and SAN are two independent fields
The CN can only contain one FQDN (and it should/must).
The SAN should/must contain the CN as its’ first entry, then followed by any additional FQDNs.

“should/must” depends on who, and when, you ask.
I always go with must and have not had any problems.

I'm glad it works but keep in mind that those added fields are ignored by Let's Encrypt.

Boulder returns the same error for malformed CSRs in some cases:

This can be pretty confusing. :cry:


I’ve opened an issue about that distinction:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.