Policy forbids issuing for name - beta.rbc.org

t0mm0r · May 27, 2016, 1:32pm

I am trying to request a certificate for my organization that owns the domain name rbc.org. We host several beta versions of our sites using sub-domains of beta.rbc.org but everytime I try to request anything for rbc.org it gives me the following error: Error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: Policy forbids issuing for name We also own the domain ourdailybread.org and I was able to request a certificate for beta.ourdailybread.org without any issues. Below is the log output:

    typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
  File "/home/twilson/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 197, in request_challenges
    new_authz)
  File "/home/twilson/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 652, in post
    return self._check_response(response, content_type=content_type)
  File "/home/twilson/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 568, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: Policy forbids issuing for name```

danb35 · May 27, 2016, 1:46pm

RBC sounds like a bank, and the first thing that comes up when I Google RBC is the Royal Bank of Canada. I’d therefore guess that rbc.* is on the “high risk domains list”, prohibiting issuance. Hopefully someone can chime in with a more definitive answer, and if there’s a way to work around it.

t0mm0r · May 27, 2016, 1:50pm

Yeah I was kind of wondering if that was it.

pfg · May 27, 2016, 1:52pm

Your domain matches a list of high-profile phishing targets, most likely due to it’s similarity to rbc.com (Royal Bank of Canada). CAs are obliged to maintain such a list and use additional verification mechanisms when verifying domain ownership for such domains. That usually comes down to manual verification, which wouldn’t work in the case of Let’s Encrypt due to its automated nature, so domains on this list are essentially prohibited from requesting certificates.

The list does occasionally get amended based on user feedback, but I’m not sure if that would be appropriate here.

system · June 26, 2016, 1:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.