We are trying to issue a certificate to one of our customer sites that we host, aa.edu and www.aa.edu. It is a school website (as are all of our customer sites). We’re getting this error:
Error: urn:acme:error:rejectedIdentifier :: Policy forbids issuing for name
I believe that it is denied because aa.com is American Airlines so “aa” is a high value domain.
Can we get it unblocked?
the full domain name of your site (this will be made public upon issuance anyhow) www.aa.edu and aa.edu
the command line you ran
sudo -H /opt/letsencrypt/certbot-auto certonly --webroot -w /efs/well-known/ -d $DOMAINNAME --quiet
the output of that command
g: 2017-02-08 22:00:24,921:DEBUG:acme.client:Received response:
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: HTTP 400
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Server: nginx
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Content-Type: application/problem+json
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Content-Length: 113
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Boulder-Request-Id: T4qfJhwoVCL_xICSbUnIc1rBT47kCjGvXF7TSAAZ4mU
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Boulder-Requester: 6226450
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Replay-Nonce: dqpzrO_kc42e6dDx1GU0qVN_HyUdTMmimBjDW_RqgfQ
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Expires: Wed, 08 Feb 2017 22:00:24 GMT
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Cache-Control: max-age=0, no-cache, no-store
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Pragma: no-cache
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Date: Wed, 08 Feb 2017 22:00:24 GMT
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Connection: close
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: {
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: “type”: “urn:acme:error:rejectedIdentifier”,
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: “detail”: “Policy forbids issuing for name”,
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: “status”: 400
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: }
name and version of your operating system and your web server
Nginx / Ubuntu 14.04
what type of hosting provider you are using, if applicable
Self Hosted
Hi @itdoug, apologies for missing this one! We're talking about improving the intake for these issues so that we can hopefully make it less of a single-point-of-failure situation.
I kicked the process off to fix this error but the timing is a little bit unfortunate based on our deploy cycle. I'll update this thread once I know more about when you can expect the problem to be resolved in production.
Wow, that’s odd. I don’t know much about how CAs filter things, but I don’t think it should have anything to do with https://aa.com since its an entirely different TLD. Either way, I’m interested in this topics as one of the schools I went to has a .edu website and Let’s Encrypt works perfectly.
It probably does. Getting, I don't know, aa.co or aa.net or aa.us would be very effective for a phishing campaign against AA. Going by past threads on this forum, Let's Encrypt commonly blocks high-value names across most or all TLDs. Which results in awkward and silly situations like the one you're in, but, well, phishing is really bad.
I read another thread about the "high value domain" in the forums. It seems like it's an extra protection against someone buying a very similar domain to other well known brands and getting a cert for their site.
A couple threads I found:
Could be easy to trick someone into entering sensitive data if your site and domain were super close. At least that's what I suspect. Our site is a school website.