Policy Forbids issuing name compras.adp.com.pe


#1

Hi everyone,
I’m clashing with a policy what forbids to generate a certificate for domain said in subject, which may go joint with compras.adp.itbid.org

Is it there a way out to get a rid of it?

Thank you very much
Xavier


#2

Based on the error message: Let’s Encrypt has policies in place to avoid issuing automatically (and thus, at all, since they don’t do manual issuance of end entity certificates) for “high value” subjects. This policy has decided that your names are “high value”. If you are aware you work for a high value organisation (e.g. a bank, or a famous Internet brand) then unfortunately you may not be able to use Let’s Encrypt.

On the other hand it might just be a coincidence, like maybe the names you asked for are too similar to the name of a big Chinese news site or a Spanish bank or something (these are random examples I have no idea) and if it’s just a coincidence the Let’s Encrypt team will often be able to exempt your names, this process is not instant, but if you can afford to wait a week or three you’ll be fine. Here is an example where a name was similar to that of a German bank:


#3

Thank you very much @tialaramex.

¿How can I report my issue to Let’s Encrypt staff?

Cheers


#4

Can you give the exact error you are getting please.

You give 2 domains here compras.adp.com.pe and compras.adp.itbid.org hopefully the exact errors you are seeing will confirm where the issue is


#5

I’m only getting an error when I try to issue a certificate for compras.adp.com.pe

This is the error appeared on console:

An unexpected error occurred:
Policy forbids issuing for name
Please see the logfiles in /var/log/letsencrypt for more details.

This is the command used

# certbot certonly --webroot -w /var/www/adp/public -d compras.adp.com.pe

And finally this is the log registered:

2017-02-07 09:19:04,373:DEBUG:certbot.main:Root logging level set at 30
2017-02-07 09:19:04,373:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-02-07 09:19:04,373:DEBUG:certbot.main:certbot version: 0.8.1
2017-02-07 09:19:04,374:DEBUG:certbot.main:Arguments: ['--webroot', '-w', '/var/www/adp/public', '-d', 'compras.adp.com.pe']
2017-02-07 09:19:04,374:DEBUG:certbot.main:Discovered plugins:
PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-02-07 09:19:04,380:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-02-07 09:19:04,381:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x1ea5950>
Prep: True
2017-02-07 09:19:04,381:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x1ea5950> and installer None
2017-02-07 09:19:06,430:DEBUG:certbot.main:Picked account <Account({banned account id})>
2017-02-07 09:19:06,437:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2017-02-07 09:19:06,447:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-02-07 09:19:06,727:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-02-07 09:19:06,727:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-02-07 09:19:06,728:DEBUG:root:Received <Response [200]>. Headers: {'content-length': '352', 'strict-transport-security': 'max-age=604800', 'boulder-request-id': 'YOVT3_kQ_-1smo_W_x0g0ddWD0yd-Uu7FTqXtaHoKpA', 'expires': 'Tue, 07 Feb 2017 09:19:06 GMT', 'server': 'nginx', 'connection': 'keep-alive', 'pragma': 'no-cache', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Tue, 07 Feb 2017 09:19:06 GMT', 'x-frame-options': 'DENY', 'content-type': 'application/json', 'replay-nonce': '72GeQSUzAu_iXjm_5oaMt6txL0f-bIu3alvKcbNjG7M'}. Content: '{\n  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2017-02-07 09:19:06,728:DEBUG:acme.client:Received response <Response [200]> (headers: {'content-length': '352', 'strict-transport-security': 'max-age=604800', 'boulder-request-id': 'YOVT3_kQ_-1smo_W_x0g0ddWD0yd-Uu7FTqXtaHoKpA', 'expires': 'Tue, 07 Feb 2017 09:19:06 GMT', 'server': 'nginx', 'connection': 'keep-alive', 'pragma': 'no-cache', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Tue, 07 Feb 2017 09:19:06 GMT', 'x-frame-options': 'DENY', 'content-type': 'application/json', 'replay-nonce': '72GeQSUzAu_iXjm_5oaMt6txL0f-bIu3alvKcbNjG7M'}): '{\n  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2017-02-07 09:19:06,761:DEBUG:root:Requesting fresh nonce
2017-02-07 09:19:06,761:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2017-02-07 09:19:06,952:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-02-07 09:19:06,953:DEBUG:root:Received <Response [405]>. Headers: {'content-length': '91', 'allow': 'POST', 'boulder-request-id': '6WkoxKr8toLeiyWPyEYXqCPX-JmHBZR_VCrccK0dtIc', 'expires': 'Tue, 07 Feb 2017 09:19:06 GMT', 'server': 'nginx', 'connection': 'keep-alive', 'pragma': 'no-cache', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Tue, 07 Feb 2017 09:19:06 GMT', 'content-type': 'application/problem+json', 'replay-nonce': 'EqQSQwtjw1GRydfVX-m8edQU6N7OCXCuxD-UAwWrnQg'}. Content: ''
2017-02-07 09:19:06,953:DEBUG:acme.client:Storing nonce: '\x12\xa4\x12C\x0bc\xc3Q\x91\xc9\xd7\xd5_\xe9\xbcy\xd4\x14\xe8\xde\xce\tp\xae\xc4?\x94\x03\x05\xab\x9d\x08'
2017-02-07 09:19:06,954:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, combinations=None, status=None
2017-02-07 09:19:06,954:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "compras.adp.com.pe"}, "resource": "new-authz"}
2017-02-07 09:19:06,955:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jwk=None, x5u=None, kid=None, alg=None, cty=None, x5tS256=None, jku=None, x5t=None
2017-02-07 09:19:07,011:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), nonce=None, x5u=None, typ=None, kid=None, cty=None, x5tS256=None, jku=None, x5t=None
2017-02-07 09:19:07,011:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), nonce=None, x5u=None, typ=None, kid=None, cty=None, x5tS256=None, jku=None, x5t=None
2017-02-07 09:19:07,012:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "wKr-UQ1PgE3n3lIyRzDvFIbyHifl0Tm26RM-SMXNVo_jbzx6n5xWMJxJuuzRb9PPQ5c3nMEbuEVeomRSK0MOGekAS12UfKekU4XSxS9ys8kWZvFfES93MsgSVMO-tObs0MTId5MmfbCRMTbKoWXvNSTOxZhpubrKaHT4xJHw3IfTVzHAvkNFbCwLDRS1lcxoXSzu2E3Ua_S2dPYq5WmjlnTb-_WtuFa0K5-5RWWRq3iQAJM1Jz5QkDMFi4QWoyJpQ9xtAfzceSZvCeZFyzRworM1zLSVk-5y7IudrZCpjFHh7lLuOx2RhqAghP_sqkuoQoW029HLi1V276G3efG1Mw"}}, "protected": "{****BANNED BY POST AUTHOR****}", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJjb21wcmFzLmFkcC5jb20ucGUifSwgInJlc291cmNlIjogIm5ldy1hdXRoeiJ9", "signature": "rNIQZyBsN58JblFV8Cx407dSLJod73L_XGwpCA7HjxVTLOo5VVtXSAVfM7VM07B2ntYLBR_ukxWLuLJKPEJk4B-T2j24ZSl-s5RsO9HW_LmUSNhfhM1sFVAXY_96j0VAhS1vzYn6GK_wHWigRpEkzWiiphMiiuNUywMEayVqgv3LFz8YVuZQ_J-Iho_uOWLirC47yNPy01EaLtZsunPHPq6d55svRXlxDnAjU5d1WdHx7s6VC2MYyNUD65n9pzu5WV6pOHxgwG3enUaMg4iEcx91okJJN12YUdTnfUXiisWgH0YbRV2OeaJ8EBptapwS5aJm64EmmGEx4hG8jgbFPg"}'}
2017-02-07 09:19:07,213:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 400 113
2017-02-07 09:19:07,215:DEBUG:root:Received <Response [400]>. Headers: {'content-length': '113', 'boulder-request-id': 'EfdWX0n9MHQF1l6aTTMKPIUOLCATtmH72aa2nUaLknA', 'boulder-requester': '5346297', 'expires': 'Tue, 07 Feb 2017 09:19:07 GMT', 'server': 'nginx', 'connection': 'close', 'pragma': 'no-cache', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Tue, 07 Feb 2017 09:19:07 GMT', 'content-type': 'application/problem+json', 'replay-nonce': 'Pcm1wFT-EQ4Yeeu3XHJQDiucIITa4yrYeep5hK9-PtI'}. Content: '{\n  "type": "urn:acme:error:rejectedIdentifier",\n  "detail": "Policy forbids issuing for name",\n  "status": 400\n}'
2017-02-07 09:19:07,216:DEBUG:acme.client:Storing nonce: '=\xc9\xb5\xc0T\xfe\x11\x0e\x18y\xeb\xb7\\rP\x0e+\x9c \x84\xda\xe3*\xd8y\xeay\x84\xaf~>\xd2'
2017-02-07 09:19:07,216:DEBUG:acme.client:Received response <Response [400]> (headers: {'content-length': '113', 'boulder-request-id': 'EfdWX0n9MHQF1l6aTTMKPIUOLCATtmH72aa2nUaLknA', 'boulder-requester': '5346297', 'expires': 'Tue, 07 Feb 2017 09:19:07 GMT', 'server': 'nginx', 'connection': 'close', 'pragma': 'no-cache', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Tue, 07 Feb 2017 09:19:07 GMT', 'content-type': 'application/problem+json', 'replay-nonce': 'Pcm1wFT-EQ4Yeeu3XHJQDiucIITa4yrYeep5hK9-PtI'}): '{\n  "type": "urn:acme:error:rejectedIdentifier",\n  "detail": "Policy forbids issuing for name",\n  "status": 400\n}'
2017-02-07 09:19:07,218:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.8.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 744, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 555, in obtain_cert
    _, action = _auth_from_domains(le_client, config, domains, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 94, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 276, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 247, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 64, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 217, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 197, in request_challenges
    new_authz)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 656, in post
    return self._check_response(response, content_type=content_type)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 572, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:rejectedIdentifier :: Policy forbids issuing for name

As far as I can see, certbot is getting an error response with following content:

{
  "type": "urn:acme:error:rejectedIdentifier",
  "detail": "Policy forbids issuing for name",
  "status": 400
}

Thanks a lot for your dedication


Error 400 - urn:acme:error:rejectedIdentifier - Policy forbids issuing for name
#6

Many Thanks for that. @cpu is the best person to deal with this I think, they should be around later today. Please give us a little time to sort this out ( it will require changes on the Let’s Encrypt server to change the policy for any given domain name).


#7

Apologies! I was out of the office last week.

@temple Thanks for your patience. I’ve kicked the process off to get this fixed for you. I will update this thread when the change has been made. It should be within a week if there are no unexpected operations issues.


#8

Thank you very much @cpu


#9

Hi @temple - good news - the change is now live in production :fireworks: :tada:.

Please let me know if you are encountering the same error as you originally reported.

Thanks!


#10

It worked like a charm!
Great job

Thank you very much.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.