Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output: Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error finalizing order :: policy forbids issuing for: “testintuitships-umms.comwww.testintuitships-umms.com””, “status”: 400 }
My web server is (include version): APACHE
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): using SSH
That error message suggests that you created a CSR (certificate request) which had testintuitships-umms.com www.testintuitships-umms.com as a single identifier, whereas you need to split up those identifiers as separate subjectAltNames.
If you chose the “I have my own CSR” option on the above link, it can be a tricky matter to generate a CSR for multiple domains properly. See this article that shows one way to do it, or:
#change "/etc/ssl/openssl.cnf" as needed:
# Debian: /etc/ssl/openssl.cnf
# RHEL and CentOS: /etc/pki/tls/openssl.cnf
# Mac OSX: /System/Library/OpenSSL/openssl.cnf
openssl req -new -sha256 -key domain.key -subj "/" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:testintuitships-umms.com,DNS:www.testintuitships-umms.com"))
I’ll bet there’s also an issue with the string intuit being part of the domain name–they’re the makers of Quicken and Turbotax, very popular financial and tax software in the US.
Thanks @_az for response.
I created CSR request usng AWS’s ACM - Create CSR UI. In that there is one field CN to enter domain. Not sure how t enter domain and its alias so I enter using space. I did with “,” also but same result. I retied without alias also but then it says information not matching.
Do they have another field for subject alternative names (SANs)? Perhaps that's where multiple names need to go, since the CN can only be a single name but the SANs can be a large number of names (up to 100 according to Let's Encrypt policy).
There should be a field for one domain and then an “Add another name to this certificate” button to add more. At least, this is how ACM works when requesting a certificate from the Amazon CA; I’d be surprised if they left it off a nearby CSR request screen.