Policy forbids issuing for name. investor.qiwi.com

Hello! I have problems with issuing certificates on 3-rd level domains of qiwi.com. Looks like qiwi.com is in high risk domains list? Can you please help me to obtain certificate for investor.qiwi.com?

My domain is:


I ran this command:
./certbot-auto certonly --webroot -w /var/www/investor.qiwi.com/ -d investor.qiwi.com
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
An unexpected error occurred:
Error creating new authz :: Policy forbids issuing for name
Please see the logfiles in /var/log/letsencrypt for more details.

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Hi,

Please check this page for more information about the blacklisted site.

In this case your domain is blacklisted due to your website type.

Is it ? @josh

Thank you

@stevenzhu, thanks for your reply!
Yes, qiwi.com goes by description for financial/bank.
Is there still way to obtain certificate from LE?

Hi, @slezhuk

Unfortunately, I don't think so.

Please refer to the response in below post:

Try for a comodo ssl might help? (Some of them are only $5,$6 per year)

Thank you

Thank you, so, I believe we would have to get a certificate from a different CA. It would be good to know if we know the exact reason when a domain gets blacklisted. Does LE does not issue certificate to any financial firms?

The linked thread goes into a lot of detail on this question, but I think the essence of it is that Let’s Encrypt is trying to protect high value targets (such as Qiwi) from being exposed to harm.

To illustrate with a more obvious example, it is also impossible to issue a certificate for paypal.com or microsoft.com, as they are also on the blacklist.

Often, names are blocked inadvertantly. For example, if XYZ.com is a large bank, and XYZ.edu is a small college, Let’s Encrypt may have blocked XYZ.edu, but will probably unblock it if they ask.

But it sounds like qiwi.com is being blocked correctly – using my example, you are XYZ.com, not XYZ.edu.

Let’s Encrypt does have a process for whitelisting genuine high value domains. I’m not sure what it entails. Usually it’s discussed in private, not in public posts on this forum. Hmm… @jsha?

FYI, we did a pass through our list a few months ago and removed the majority of these TLD variants, so this case should be quite rare now.

@slezhuk, I'll PM you with instructions to get in touch.

2 Likes

Thanks for your replies, everyone. Now situation is clear for me.

Thank you @jsha and @mnordhoff. The explanation is clear now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.