Policy forbids issuing for name: aa.edu


#1

We are trying to issue a certificate to one of our customer sites that we host, aa.edu and www.aa.edu. It is a school website (as are all of our customer sites). We’re getting this error:

Error: urn:acme:error:rejectedIdentifier :: Policy forbids issuing for name

I believe that it is denied because aa.com is American Airlines so “aa” is a high value domain.

Can we get it unblocked?

the full domain name of your site (this will be made public upon issuance anyhow)
www.aa.edu and aa.edu

the command line you ran
sudo -H /opt/letsencrypt/certbot-auto certonly --webroot -w /efs/well-known/ -d $DOMAINNAME --quiet

the output of that command

g: 2017-02-08 22:00:24,921:DEBUG:acme.client:Received response:
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: HTTP 400
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Server: nginx
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Content-Type: application/problem+json
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Content-Length: 113
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Boulder-Request-Id: T4qfJhwoVCL_xICSbUnIc1rBT47kCjGvXF7TSAAZ4mU
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Boulder-Requester: 6226450
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Replay-Nonce: dqpzrO_kc42e6dDx1GU0qVN_HyUdTMmimBjDW_RqgfQ
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Expires: Wed, 08 Feb 2017 22:00:24 GMT
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Cache-Control: max-age=0, no-cache, no-store
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Pragma: no-cache
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Date: Wed, 08 Feb 2017 22:00:24 GMT
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: Connection: close
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: {
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: “type”: “urn:acme:error:rejectedIdentifier”,
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: “detail”: “Policy forbids issuing for name”,
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: “status”: 400
Feb 08 17:00:24 ip-10-230-33-84 letsencrypt.log: }

name and version of your operating system and your web server
Nginx / Ubuntu 14.04

what type of hosting provider you are using, if applicable
Self Hosted


#2

Is this topic in the wrong place? Was hoping to get a reply so we can issue the cert.


#3

Sorry, I meant to ask @cpu to take a look.


#4

Hi @itdoug, apologies for missing this one! We’re talking about improving the intake for these issues so that we can hopefully make it less of a single-point-of-failure situation.

I kicked the process off to fix this error but the timing is a little bit unfortunate based on our deploy cycle. I’ll update this thread once I know more about when you can expect the problem to be resolved in production.

Thanks for your patience!


#5

Ok. Thanks for the update. We can wait. Just glad to hear it’s in motion.


#6

Wow, that’s odd. I don’t know much about how CAs filter things, but I don’t think it should have anything to do with https://aa.com since its an entirely different TLD. Either way, I’m interested in this topics as one of the schools I went to has a .edu website and Let’s Encrypt works perfectly.


#7

It probably does. Getting, I don’t know, aa.co or aa.net or aa.us would be very effective for a phishing campaign against AA. Going by past threads on this forum, Let’s Encrypt commonly blocks high-value names across most or all TLDs. Which results in awkward and silly situations like the one you’re in, but, well, phishing is really bad. :disappointed_relieved:


#8

I read another thread about the “high value domain” in the forums. It seems like it’s an extra protection against someone buying a very similar domain to other well known brands and getting a cert for their site.

A couple threads I found:


Could be easy to trick someone into entering sensitive data if your site and domain were super close. At least that’s what I suspect. Our site is a school website.


#9

Hi again @itdoug,

You should be able to issue for aa.edu domains without error. Please let me know if you’re still having trouble.

Have a great day, thanks for waiting!


#10

it worked! Thanks! No worries about the wait.

Doug


#11

Thanks for confirming. I’m going to mark this thread closed now.

Take care,


#12