According to this old post issuance of LE certificates to .SY domains stopped in 2015: Certificates for US sanctioned countries
Does this still apply even after lifting the sanctions effectively on 01.07.2025?
See: Syria Sanctions - Inactive and Archived | Office of Foreign Assets Control.
I appreciate an official reply or insight into this matter, as I have just tried to request a cert. and it failed due to the blacklist.
I had thought that the restrictions were to domains owned by specific sanctioned entities, not to a TLD as a whole. I certainly could be wrong, though. Can you provide the exact error message you got?
[Tue Aug 26 05:54:37 EDT 2025] code='400'
[Tue Aug 26 05:54:37 EDT 2025] original='{"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"DNS identifier is disallowed [sammy.sy]"}'
[Tue Aug 26 05:54:37 EDT 2025] response='{"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"DNS identifier is disallowed [sammy.sy]"}'
[Tue Aug 26 05:54:37 EDT 2025] Le_LinkOrder
[Tue Aug 26 05:54:37 EDT 2025] Le_OrderFinalize
[Tue Aug 26 05:54:37 EDT 2025] Error creating new order. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"DNS identifier is disallowed [sammy.sy]"}
Argh, acme.sh script was using ZeroSSL by default. Silly me, I didn't notice this.
I will switch to LE and try again.
It works!
I was able to fetch multiple single domain certs. and a wildcard cert. for the .SY domain.
Since the Syrian TLD-authority don't have an API to update the records through, I am unable to automatically refresh the certificates. Since the client have cPanel on the host I updated the NS records to point to the hosting provider's (Namecheap) then used --dns dns_cpanel and was able to get the certs. 
The .sy register zone should only be updated if you change nameservers or dnssec keys. All other records are on another provider, that you can usually change at will (right now it looks like it's namecheap, I don't remember if they offer APIs)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.