Policy forbids issuing for name - 16/03/2017


#1

Hi,

We are trying to issue a certificate to one of our customer sites (chanel_meeting.devprium.com) and are getting the error “Policy forbids issuing for name”. Is this domain blocked? Is it possible to unblock it?

Here are the details of the problem :
the full domain name of your site : chanel_meeting.devprium.com
the command line you ran : letsencrypt-auto
the output of that command : Policy forbids issuing for name
name and version of your operating system and your web server : Ubuntu & Apache 2.4.7
what type of hosting provider you are using, if applicable : AWS

Thanks,


#2

Are you sure about what’s happening?

Anything with an underscore in it should be rejected with “Invalid character in DNS name”.

Whereas a name like “chanel-meeting.devprium.com” does not seem to be blacklisted for policy reasons.


#3

Thank you, I had made a typo in the name, their is no underscore nor dash in the domain name. I tried again and it worked!n I still don’t know why I got the policy error though…


#4

Hi @alyssabiot,

I’m glad the problem was resolved.

I just looked into this and I’ll have to talk with some of my colleagues to understand why we don’t warn people earlier about this problem. Certbot does contain code to warn about this kind of thing, yet the code isn’t currently used. I’m not sure if that’s an oversight or a deliberate decision since perhaps the CA’s policy about acceptable names will change over time.


#5

The answer is that this is intentional because the CA policy could change, so we go ahead and try to request certain things in certs even if in theory we might be able to predict that they wouldn’t work. But we’re putting in a request to try to have the CA return a more useful error message in this kind of situation to explicitly say what the problem with the name was, where possible.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.