Policy forbids issuing for domain

marlon.rodrigues · June 13, 2016, 1:48pm

Hi,

 I'm using ZeroSSL to issue my certificate and I'm getting the following error message:
 "Error information: Error creating new cert :: policy forbids issuing for: http://digitalservices.ungerboeck.com/."

  Does that mean my domain is in the blacklist? Is there a way to check that? Or there is another problem?

Thanks for the support,

Marlon Rodrigues

pfg · June 13, 2016, 1:53pm

The error message strikes me as odd. Usually, it would only list the affected domain (i.e. digitalservices.ungerboeck.com), but it seems to be printing a full URL here.

Any chance this is happening because you’re requesting a certificate for an URL instead of the domain? Try entering digitalservices.ungerboeck.com instead of http://digitalservices.ungerboeck.com/ and see if that resolves the issue.

leader · June 13, 2016, 2:04pm

The message indeed seems strange. @pfg might be right - you need to use the domain name, without extras such as http://. But thanks for flagging the issue, URLs will stop being allowed to be entered shortly (Please note that for self-signed certs you can use URIs just fine).

marlon.rodrigues · June 13, 2016, 2:36pm

Thanks @pfg and @leader. That indeed was the issue. Once I inputted the domain correctly I was able to continue. Again, thanks for the support!

tialaramex · June 13, 2016, 4:30pm

This also looks like an opportunity to improve ZeroSSL and any other clients to help users more - if the user typed something that doesn’t seem like a domain name, ask them to make sure it’s really a domain name and not something else. e.g. if it has a colon in it, that can’t be a domain name, but it could be a URL, if it has an @-symbol that can’t be a domain name either but it could be an email address.

A really good way to improve the UX of software is to study situations where a real user doesn’t get what they wanted, and ask what your software could do to help them.

It makes sense to do this work in the clients (even though there are lots of those) not the ACME server because the ACME server is security critical, it should be as small and simple as possible while doing the job correctly, whereas clients are not so security critical, so if they want to have a whole sub-routine that spots URLs and says “Hey, did you mean this domain name instead?” that can’t worsen overall Let’s Encrypt security.

leader · June 13, 2016, 5:05pm

@tialaramex, some of that has been live as of about an hour ago In particular, URL-like strings should not be accepted. Hopefully that helps a bit in avoiding mistakes when entering domain names.

P.S. Trying to fix the string for the user by guessing what it should be is a bit error-prone in my view and doesn’t help for example against typos. Additionally, since multiple names can be entered, pestering the user with question popups might not be the best way to interact Regardless, I appreciate the feedback and the ideas!

system · July 13, 2016, 5:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.