My domain name blacklisted

Hi!

Request the exclusion of my domain from the SSL certificate issuance blacklist.

it’s a popular site, it’s not blacklisted in google
How can I check why it’s blacklisted. Will not post publicly domain name for privacy reasons.

1 Like

Hi @mayu,

The error message from the certificate authority should probably indicate more about the reason, although the most general case is "policy forbids issuing for name", in which case you can't really get any more information directly through the ACME protocol.

Some possibilities include

  • your name is in a top-level domain that Let's Encrypt doesn't know about yet (because it's so new)
  • you accidentally requested a certificate for a name that's not in a top-level domain
  • your domain name or the organization that owns it is on one of the U.S. Treasury's sanctions lists
  • your domain name is very similar to the name of certain financial institutions and similar sites, possibly in another country
  • your domain name is actually a subdomain of a major company's site (because you work for one of those companies)
  • your domain name is actually a subdomain of a major company's site (because you're using the hosting product of one of those companies, and didn't get your own separate domain name)

If you're confident that the name is blacklisted in error, you can contact security@letsencrypt.org and describe your situation. Note that this won't help in the 2nd, 3rd, and 6th cases I mentioned above.

2 Likes

If you're not sure, you could find out whether this could be the case by seeing if you fall into any of these categories

https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx

2 Likes

Your answer is very easy to understand. Thank schoen very much.

I have additional questions.

Can anyone make inquiries to the certificate authority(security@letsencrypt.org)?
For example, is there any restriction that I can only do with a certified lawyer?

1 Like

There’s some further detail on what would be required in this post: The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy

2 Likes

thanks _az!

my domain’s not ACME

That's good advice for some cases, but that might not be required depending on the exact reason for the blacklist. In particular, I think those were the recommended steps when the name you want to issue for is deliberately on the blacklist because Let's Encrypt thinks the domain owner wants it to be (like visa.com or google.com). In other situations, it might be possible to get removed in another way.

I think for my example reasons above, I would probably suggest

Mention just the top-level domain here on the forum, in order to bring it to Let's Encrypt staff's attention.

You'd need to use a different name or a non-publicly trusted CA.

You'd need to use a different CA.

Ask the security address about your particular situation.

Ask your organization's leadership or management to make the request for you.

You would probably need to use another CA, unless the hosting provider itself wants to reopen this issue with Let's Encrypt.

(I'm happy to accept corrections from Let's Encrypt staff about this!)

3 Likes

ACME is the name of the technology used by Let's Encrypt client applications to talk to the Let's Encrypt certificate authority. Everyone using Let's Encrypt is always using the ACME technology to request the issuance of the certificates; it's not a property of your particular domain.

3 Likes

Then there’s also a possibility that you just went against the rate limits and just need to wait.

Is the number 429 anywhere in your error message?

1 Like

or the words “excessive” or “abusive” ?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.