Policy forbids issuing for name. Where to read policy?


We are thinking of using letsencrypt certificates for our test/dev environments. But requesting certificates for subdomains of our domain returns error “Error creating new authz :: Policy forbids issuing for name”.

From what I have read, this domain most probably blacklisted as high risk domain. Is blacklist is absolute or you can remove our domain on request? Or even better allow issuance for subdomains which specifically allow lestencrypt with CAA records?

@cpu should be able to help

Where to read policy?

We do not presently make the list of high-value domain names blocked by the issuance policy public. I don’t expect this will change in the short term.

1 Like

I need to know policy about this domains, not list of it. Are there cases when letsencrypt will allow issuing for one of this domains under some conditions?

Yes, though I'm not sure of the details. You would have to discuss it with them.

What's the exact domain and error? It could be happening for another reason.

Domain is mail.ru, error is “type”: “urn:acme:error:rejectedIdentifier”, “detail”: “Error creating new authz :: Policy forbids issuing for name”.

Are you sure you own the domain name mail.ru? A quick check on domain name reveals that DigiCert already issued a certificate for it.

Yep) Read first message, we want to use letsencrypt for dev/test subdomains.

Oops! Sorry for not reading the question carefully :frowning:
In this case I guess the block is most likely caused by the high popularity of the domain name then.
Your best bet would be to talk to the team then, but I have no idea where you can get in touch with them…

@schoen will pull the correct person into this thread when he sees it I am sure.

Hi @bazuchan,

I will direct message you the steps required to process a request on behalf of mail.ru to remove the name from our policy blocklist.


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.