Receiving 'Policy forbids issuing for name' When Creating a Cert

Hello,

I’m attempting to create a certificate in HAProxy for a domain ending in: .selfhost.corp.microsoft.com, this is our owned domain. I am using the guide found at certbot.eff.org. When I attempt to create a cert, I receive the following error message;

An unexpected error occurred:
The request message was malformed :: Error creating new authz :: Policy forbids issuing for name
Please see the logfiles in /var/log/letsencrypt for more details.

Am I out of luck with creating a free certificate for our domain using Let’s Encrypt? Or am I simply missing a step? Thanks for any help.

I would imagine that all subdomains in microsoft.com would be blacklisted (to avoid impersonating). I might be wrong though

Also from *.microsoft.com site I would expect an OV/EV certificate

Also, you say this is “our owned domain” but so far as I can tell Microsoft does not publish DNS records for this entire sub-domain tree. Public CAs are not permitted to issue for names unless they’re on the public Internet.

So even if there wasn’t a policy restriction for this name, you probably wouldn’t be able to validate your control over it, and thus wouldn’t be able to receive a certificate, whether from Let’s Encrypt or any other CA.

Microsoft's owns that domain. You're just borrowing it or being assigned. You need to get your own domain which you control.

A LetsEncrypt official response regarding domains on amazon's infrastructure being blacklisted is in this thread: Policy forbids issuing for name on Amazon EC2 domain - #3 by alesar.dev

A relevant quote that probably applies to this microsoft issue:

That’s what I was afraid of. Thanks for everyone’s comments. It looks like LE won’t work for our needs, at least until we move to a new domain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.