Hello! I have problems with issuing certificates on 3-rd level domains of qiwi.com. Looks like qiwi.com is in high risk domains list? Can you please help me to obtain certificate for investor.qiwi.com?
My domain is:
I ran this command:
./certbot-auto certonly --webroot -w /var/www/investor.qiwi.com/ -d investor.qiwi.com
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
An unexpected error occurred:
Error creating new authz :: Policy forbids issuing for name
Please see the logfiles in /var/log/letsencrypt for more details.
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
Thank you, so, I believe we would have to get a certificate from a different CA. It would be good to know if we know the exact reason when a domain gets blacklisted. Does LE does not issue certificate to any financial firms?
The linked thread goes into a lot of detail on this question, but I think the essence of it is that Let’s Encrypt is trying to protect high value targets (such as Qiwi) from being exposed to harm.
To illustrate with a more obvious example, it is also impossible to issue a certificate for paypal.com or microsoft.com, as they are also on the blacklist.
Often, names are blocked inadvertantly. For example, if XYZ.com is a large bank, and XYZ.edu is a small college, Let’s Encrypt may have blocked XYZ.edu, but will probably unblock it if they ask.
But it sounds like qiwi.com is being blocked correctly – using my example, you areXYZ.com, not XYZ.edu.
Let’s Encrypt does have a process for whitelisting genuine high value domains. I’m not sure what it entails. Usually it’s discussed in private, not in public posts on this forum. Hmm… @jsha?