The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy

My domain is: creatorsupport.target.com

I ran this command: We are using java ACME client.

Output : The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy

This seems to be a special case at the Let's Encrypt CA level for the target.com domain? It sounds similar to : The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy

4 Likes

We block a number of particularly high-profile domains from getting certificates from Let’s Encrypt by default. In order to remove the block, we need all of the following:

  1. An entity representative must email security@letsencrypt.org requesting the change, from an email address with the domain in question.
  2. The domain owner must have an accredited attorney submit a letter requesting addition or removal from the blocklist. Letter must include: Attorney Name, Firm Name, Firm Phone Number and Email Address, Firm Physical Address, Name of organization being represented, a request that specific domains be added or removed from our blocklist, date of request

We are only able to entirely remove blocked domains. We cannot allow subdomains of a blocked domain.

If you would like to protect domains after a block is removed we can recommend adding CAA records .

8 Likes

I have confirmed target.com is currently on the high-risk domain list.

7 Likes

from looking at SAN current certificate provides it looks like they are SaaS provider (freshdesk) and not Target themselves. what'd be option for them?
@Mohideen0810 I think best option would be contect DNS admin (that put cname to your service) to where to get certificate from
from CT log it looks like target uses digicert and globalsign:

2 Likes

They'd still be using a target.com subdomain, thus Target needs to approve of all this by doing the stuff mentioned above by @mcpherrinm. It does not matter if the subdomain in the end is subcontracted to a third party, it's Target that needs to approve of all this.

4 Likes

OR
Use an alternate domain, something like: Target-Support.com
creator.target-support.com
[much cheaper than getting a letter signed by an attorney - lol]

2 Likes

Lol.

Target must have in house counsel, tho. They're paying it already :smiley:

4 Likes

This kind of thing makes it hard to detect, warn, and block phishing domains :sweat_smile:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.