Policy forbids issuing for name - beta.rbc.org

Issuance Policy
1

I am trying to request a certificate for my organization that owns the domain name rbc.org. We host several beta versions of our sites using sub-domains of beta.rbc.org but everytime I try to request anything for rbc.org it gives me the following error: Error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: Policy forbids issuing for name We also own the domain ourdailybread.org and I was able to request a certificate for beta.ourdailybread.org without any issues. Below is the log output:

    typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
  File "/home/twilson/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 197, in request_challenges
    new_authz)
  File "/home/twilson/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 652, in post
    return self._check_response(response, content_type=content_type)
  File "/home/twilson/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 568, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: Policy forbids issuing for name```
2

RBC sounds like a bank, and the first thing that comes up when I Google RBC is the Royal Bank of Canada. I’d therefore guess that rbc.* is on the “high risk domains list”, prohibiting issuance. Hopefully someone can chime in with a more definitive answer, and if there’s a way to work around it.

1 Like
3

Yeah I was kind of wondering if that was it.

4

Your domain matches a list of high-profile phishing targets, most likely due to it’s similarity to rbc.com (Royal Bank of Canada). CAs are obliged to maintain such a list and use additional verification mechanisms when verifying domain ownership for such domains. That usually comes down to manual verification, which wouldn’t work in the case of Let’s Encrypt due to its automated nature, so domains on this list are essentially prohibited from requesting certificates.

The list does occasionally get amended based on user feedback, but I’m not sure if that would be appropriate here.

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.