Hello everyone, i need a support
My domain is: elbrus-climbing.com, elbrus.vip
I will try to create certificate, but i see error in log file /home/bitrix/dehydrated_update.log: Error-creating-new-authz-Policy-forbids-issuing-for-name
Hello everyone, i need a support
My domain is: elbrus-climbing.com, elbrus.vip
I will try to create certificate, but i see error in log file /home/bitrix/dehydrated_update.log: Error-creating-new-authz-Policy-forbids-issuing-for-name
This is misleading - both domains are actually fine to use with Let's Encrypt.
I would check a couple of things:
Rate Limit | Current Status | Domain |
---|---|---|
50 Certificates per Registered Domain per week | OK (5 / 50 this week.) | elbrus-climbing.com |
5 Duplicate Certificates per week | Limit exceeded. Next issuable at 2018-12-13T14:09:02.000Z | elbrus-climbing.com |
Summary generated at Let's Debug Toolkit . |
full dehydrated_update.log:
I will try to create from bitrixvm. He is got automatic certificate release. I just add domain, DNS, email
Here is the key line:
Processing ns1.yandex.ru with alternative names: ns2.yandex.ru
Your error message about "policy forbids issuing for name" refers to yandex.ru
, which Let's Encrypt refuses to issue certificates for, because it is a high-risk/valuable domain.
Your server is requesting certificates for ns1.yandex.ru
and ns2.yandex.ru
... and I guess you do not really control these domains. You should remove them from dehydrated's configuration.
A record for elbrus.vip 146.158.12.240 Why he is asking DNS yandex servers?
Please show this file:
# INFO: Using main config file /home/bitrix/dehydrated/config
There are only 6 lines used in all that and none can explain why this is happening:
Processing ns1.yandex.ru with alternative names: ns2.yandex.ru
Are you on a “shared” system…?
Is there any other dehydrated file (or included file) that can explain it?
It might be in domains.txt
:
# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
#DOMAINS_TXT="${BASEDIR}/domains.txt"
Even though it’s commented, I suspect it’s the default place to stick your domains.
Or there is the nuclear option:
grep -Ri yandex /home/bitrix/dehydrated
Yes, in domains.txt. Is that a problem?
grep -Ri yandex /home/bitrix/dehydrated
/home/bitrix/dehydrated/domains/elbruscliming.com.txt:ns1.yandex.ru ns2.yandex.ru
/home/bitrix/dehydrated/domains.txt:ns1.yandex.ru ns2.yandex.ru
Read https://github.com/lukas2511/dehydrated/blob/master/docs/domains_txt.md
By including those lines, you are asking Dehydrated to create certificates for ns1.yandex.ru
and ns2.yandex.ru
.
Remove those lines, and those domains will no longer be involved.
Thank you so much.
But now i see a new problem. I will try to create certificate for elbrus.vip
As I mentioned in my very first response, you’re currently rate limited from creating too many duplicate certificates.
You won’t be able to make one for your .com
domain for around 2 more days.
If you saved your existing certificates, you should just use them.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.