Problem with domain name

Hello everyone, i need a support

My domain is: elbrus-climbing.com, elbrus.vip
I will try to create certificate, but i see error in log file /home/bitrix/dehydrated_update.log: Error-creating-new-authz-Policy-forbids-issuing-for-name

This is misleading - both domains are actually fine to use with Let's Encrypt.

I would check a couple of things:

  1. Did you create the CSR for this certificate request by yourself? It's possible that it was incorrectly generated, but it's hard to know without seeing the full log file, and also seeing the exact commands you used with dehydrated.
  2. The error might be related to rate limits. One of your domains is presently maxed out on rate limits:
Rate Limit Current Status Domain
50 Certificates per Registered Domain per week OK (5 / 50 this week.) elbrus-climbing.com
5 Duplicate Certificates per week Limit exceeded. Next issuable at 2018-12-13T14:09:02.000Z elbrus-climbing.com
Summary generated at Let's Debug Toolkit .

full dehydrated_update.log:

https://pastebin.com/1sPN4RpM

I will try to create from bitrixvm. He is got automatic certificate release. I just add domain, DNS, email

Here is the key line:

Processing ns1.yandex.ru with alternative names: ns2.yandex.ru

Your error message about "policy forbids issuing for name" refers to yandex.ru, which Let's Encrypt refuses to issue certificates for, because it is a high-risk/valuable domain.

Your server is requesting certificates for ns1.yandex.ru and ns2.yandex.ru ... and I guess you do not really control these domains. You should remove them from dehydrated's configuration.

2 Likes

A record for elbrus.vip 146.158.12.240 Why he is asking DNS yandex servers?

Please show this file:
# INFO: Using main config file /home/bitrix/dehydrated/config

https://pastebin.com/51nUUJmW

There are only 6 lines used in all that and none can explain why this is happening:
Processing ns1.yandex.ru with alternative names: ns2.yandex.ru
Are you on a “shared” system…?
Is there any other dehydrated file (or included file) that can explain it?

It might be in domains.txt:

# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
#DOMAINS_TXT="${BASEDIR}/domains.txt"

Even though it’s commented, I suspect it’s the default place to stick your domains.

Or there is the nuclear option:

grep -Ri yandex /home/bitrix/dehydrated
2 Likes

Yes, in domains.txt. Is that a problem?

grep -Ri yandex /home/bitrix/dehydrated
/home/bitrix/dehydrated/domains/elbruscliming.com.txt:ns1.yandex.ru ns2.yandex.ru
/home/bitrix/dehydrated/domains.txt:ns1.yandex.ru ns2.yandex.ru

Read https://github.com/lukas2511/dehydrated/blob/master/docs/domains_txt.md

By including those lines, you are asking Dehydrated to create certificates for ns1.yandex.ru and ns2.yandex.ru.

Remove those lines, and those domains will no longer be involved.

2 Likes

Thank you so much.
But now i see a new problem. I will try to create certificate for elbrus.vip

https://pastebin.com/WetTHMp9

As I mentioned in my very first response, you’re currently rate limited from creating too many duplicate certificates.

You won’t be able to make one for your .com domain for around 2 more days.

If you saved your existing certificates, you should just use them.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.