Policy forbids issuing for name, but CAA is ok

rubinsh · March 16, 2018, 12:35pm

We’ve added Letsencrypt to CAA:

dig t.health.yandex.ru type257 +nocomments

; <<>> DiG 9.9.7-P3 <<>> t.health.yandex.ru type257 +nocomments
;; global options: +cmd
;t.health.yandex.ru. IN CAA
t.health.yandex.ru. 300 IN CAA 0 issuewild "letsencrypt.org"
t.health.yandex.ru. 300 IN CAA 0 issuewild "yandex.ru"
t.health.yandex.ru. 300 IN CAA 0 issue "globalsign.com"
t.health.yandex.ru. 300 IN CAA 0 issue "letsencrypt.org"
t.health.yandex.ru. 300 IN CAA 0 issue "yandex.ru"
t.health.yandex.ru. 300 IN CAA 0 issuewild “globalsign.com”

t.health.yandex.ru resolves to our IP, all ok.

When we try to issue domain for this subdomain, we get this error:

{
“type”: “urn:acme:error:rejectedIdentifier”,
“detail”: “Error creating new authz :: Policy forbids issuing for name”,
“status”: 400
}

Can you please check what is wrong?

Or it is because high-risk blacklisted domain? (yandex.ru)

cpu · March 16, 2018, 12:46pm

Hi @rubinsh,

Yes. The problem in this case isn't CAA policy, it's Let's Encrypt issuance policy.

Are you affiliated with yandex.ru? If so I can provide the information required to process a removal.

Thanks!

stevenzhu · March 16, 2018, 12:47pm

Hi,

in this case, the error message is meaning yandex.ru was blocked by security policies.

Please see the following link for more reference.
https://community.letsencrypt.org/search?q=policy%20forbi

Thank you

rubinsh · March 16, 2018, 1:05pm

Hi @cpu,

I’m affiliated with Variti LLC (variti.com), IP 185.165.123.206 which domain is pointed to belongs to us. Yandex already pointed this subdomain to our IP. Few days ago a new letsencrypt CAA record appeared for this subdomain.

t.health.yandex.ru is subdomain of our client for testing services under ddos protection.

If it is possible, we will be glad for removing this subdomain (only this = t.health.yandex.ru) from this list to allow to process cert request. If not, please write what we can do for this, we will forward this request to Yandex.

Thank you.

cpu · March 16, 2018, 1:27pm

Hi again @rubinsh,

Unfortunately we can only process removals for the base domain, not specific subdomains. I will DM you with the information required to pass on to Yandex.

Thanks! Apologies for the inconvenience

system · April 15, 2018, 1:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Policy forbids issuing for name. Where to read policy? Issuance Policy	10	2735	March 30, 2018
Denied by policy, but no policy Issuance Policy	11	1204	December 19, 2020
Unblock subdomain Issuance Policy	5	1971	June 23, 2017
How does let's encrypt decide which subdomains to forbid issuing new certificates for? Issuance Policy	4	855	November 27, 2022
CAA & certificate issuance problem with a previously working setup Help	5	717	July 6, 2024

Policy forbids issuing for name, but CAA is ok

Related topics