Policy forbids issuing for..Status 400

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: testintuitships-umms.com, www.testintuitships-umms.com

I ran this command: Tried to download certificate

It produced this output: Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error finalizing order :: policy forbids issuing for: “testintuitships-umms.com www.testintuitships-umms.com””, “status”: 400 }

My web server is (include version): APACHE

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): using SSH

That error message suggests that you created a CSR (certificate request) which had testintuitships-umms.com www.testintuitships-umms.com as a single identifier, whereas you need to split up those identifiers as separate subjectAltNames.

How did you generate it? Try this URL: https://www.sslforfree.com/create?domains=testintuitships-umms.com+www.testintuitships-umms.com

If you chose the “I have my own CSR” option on the above link, it can be a tricky matter to generate a CSR for multiple domains properly. See this article that shows one way to do it, or:

#change "/etc/ssl/openssl.cnf" as needed:
#  Debian: /etc/ssl/openssl.cnf
#  RHEL and CentOS: /etc/pki/tls/openssl.cnf
#  Mac OSX: /System/Library/OpenSSL/openssl.cnf

openssl req -new -sha256 -key domain.key -subj "/" \
  -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
  <(printf "\n[SAN]\nsubjectAltName=DNS:testintuitships-umms.com,DNS:www.testintuitships-umms.com"))

I’ll bet there’s also an issue with the string intuit being part of the domain name–they’re the makers of Quicken and Turbotax, very popular financial and tax software in the US.

1 Like

Thanks @_az for response.
I created CSR request usng AWS’s ACM - Create CSR UI. In that there is one field CN to enter domain. Not sure how t enter domain and its alias so I enter using space. I did with “,” also but same result. I retied without alias also but then it says information not matching.

Do they have another field for subject alternative names (SANs)? Perhaps that's where multiple names need to go, since the CN can only be a single name but the SANs can be a large number of names (up to 100 according to Let's Encrypt policy).

There should be a field for one domain and then an “Add another name to this certificate” button to add more. At least, this is how ACM works when requesting a certificate from the Amazon CA; I’d be surprised if they left it off a nearby CSR request screen.

these are the fields in ACM of AWS for Create CSR:

Organization (O)*
Organization Unit (OU)*
Country name ©*
State or province name*
Locality name*
City. Max length of 128 characters.
Common Name (CN)*

There is NO SANs and Add more for CN.

Lame. I would suggest filing a ticket with Amazon suggesting they add Subject Alternative Name support to this form.

In the meantime, you will have to use another method of generating the CSR, like the command line @_az mentioned upthread, or the free DigiCert certiticate utility for Windows if you prefer a GUI method. Then you can request your certificate with that CSR and import your certificate and private key into ACM instead of using their CSR flow.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.