Policy forbids issuing for name, but CAA is ok


#1

My domain is: t.health.yandex.ru

We’ve added Letsencrypt to CAA:

dig t.health.yandex.ru type257 +nocomments

; <<>> DiG 9.9.7-P3 <<>> t.health.yandex.ru type257 +nocomments
;; global options: +cmd
;t.health.yandex.ru. IN CAA
t.health.yandex.ru. 300 IN CAA 0 issuewild "letsencrypt.org"
t.health.yandex.ru. 300 IN CAA 0 issuewild "yandex.ru"
t.health.yandex.ru. 300 IN CAA 0 issue "globalsign.com"
t.health.yandex.ru. 300 IN CAA 0 issue "letsencrypt.org"
t.health.yandex.ru. 300 IN CAA 0 issue "yandex.ru"
t.health.yandex.ru. 300 IN CAA 0 issuewild “globalsign.com

t.health.yandex.ru resolves to our IP, all ok.

When we try to issue domain for this subdomain, we get this error:

{
“type”: “urn:acme:error:rejectedIdentifier”,
“detail”: “Error creating new authz :: Policy forbids issuing for name”,
“status”: 400
}

Can you please check what is wrong?

Or it is because high-risk blacklisted domain? (yandex.ru)


#2

Hi @rubinsh,

Yes. The problem in this case isn’t CAA policy, it’s Let’s Encrypt issuance policy.

Are you affiliated with yandex.ru? If so I can provide the information required to process a removal.

Thanks!


#3

Hi,

in this case, the error message is meaning yandex.ru was blocked by security policies.

Please see the following link for more reference.
https://community.letsencrypt.org/search?q=policy%20forbi

Thank you


#4

Hi @cpu,

I’m affiliated with Variti LLC (variti.com), IP 185.165.123.206 which domain is pointed to belongs to us. Yandex already pointed this subdomain to our IP. Few days ago a new letsencrypt CAA record appeared for this subdomain.

t.health.yandex.ru is subdomain of our client for testing services under ddos protection.

If it is possible, we will be glad for removing this subdomain (only this = t.health.yandex.ru) from this list to allow to process cert request. If not, please write what we can do for this, we will forward this request to Yandex.

Thank you.


#5

Hi again @rubinsh,

Unfortunately we can only process removals for the base domain, not specific subdomains. I will DM you with the information required to pass on to Yandex.

Thanks! Apologies for the inconvenience


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.