SSL with CSR didnt renews


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: ( renew certificate with adding csr

It produced this output:

Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error finalizing order :: policy forbids issuing for: “ *””, “status”: 400 }

My web server is (include version): nginx - 1.13.8
The operating system my web server runs on is (include version): Windows Server 2016 Gen2

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don’t know): (custom service)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Question: Why this is not working? or i need to re-create certificate with csr?

(sorry for bad english (I am from Ukraine, so can make some mistakes))


It looks like the CSR is incorrect: instead of including the two names “” and “*”, it includes the single, invalid name “ *”.


So, which one i need to add to CSR cert?

The reason is that i need a wildcard ssl certificate for domain…



Hi @mkikets

how do you create your certificate signing request?

There add a comma ,, *

not *

without a comma.

Without comma -> one domain name, but the domain name is wrong (* inside, space).


like that


so i think the request was: *


but, I can’t understand which one is add to CSR cert…


Mhm. The site says, you must use spaces:

  • Multiple Domains or Subdomains or Wildcards Multiple domains or subdomains are allowed and should be separated by spaces (e.g. " * "). If the multiple domains or subdomains pertain to multiple directories then you must use manual HTTP verification and upload verification files to the correct directories or use DNS verification.

So the comma is wrong.

You don’t have a blocking CAA entry, so this isn’t the problem.

Are there later more / other options?

You need both names. This is correct, the * doesn’t work with the domain name. So every wildcard certificate should have both names * +

Played with the form, the space is correct, replaced later by a comma.


Try the names in reversed order:


Same error:

{ “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error finalizing order :: policy forbids issuing for: “*””, “status”: 400 }


Can’t you just click on “renew”? Or does sslforfree force you to upload a new CSR?


Perhaps if you have a sslforfree-login with your domains, then you can’t create anonymous a certificate with this domain name - combination.

closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.