Trying to generate SSL with .bd domain

raisulmushfeq · October 29, 2025, 11:58am

Hello,

We are trying to generate SSL certificate for a domain name jastation.bd but got the following error:
5:47:53 PM WARN Cpanel::Exception/(XID uz6y7h) “https://acme-v02.api.letsencrypt.org/acme/new-order” indicated an ACME error: 400 Bad Request (400 urn:ietf:params:acme:error:rejectedIdentifier (The server will not issue for the identifier) (Invalid identifiers requested :: Cannot issue for "jastation.bd": Domain name is an ICANN TLD)).
the .bd domain extension is recently open for public, previously it was only .com.bd etc. Can this be reated to the extension? or is the error reffering to something else?
Regards

raisulmushfeq · October 29, 2025, 12:05pm

Hello,
It seems the domain name has been lost on my message since I have used tag symbols.
The domain name in question is jastation.bd and not just .bd
Thought I needed to clarify it.

9peppe · October 29, 2025, 12:28pm

PSL was updated on this on October 26.

github.com/publicsuffix/list

Update `.bd` in ICANN section (#2623)

committed 01:55PM - 26 Oct 25 UTC

joyeetasen06

+16 -1

* Update public_suffix_list.dat Update .bd section to enable second-level doma…in registrations * Update public_suffix_list.dat My previous pull request https://github.com/publicsuffix/list/pull/2623 was failed due to unsorted list. Adding this new request with sorted one and modified _psl TXT. Organization Name: Bangladesh Telecommunications Company Limited (BTCL) Organization Website: https://btcl.portal.gov.bd/ Submitter: Joyeeta Sen Rimpee Registry Operator, .bd Domain Bangladesh Telecommunications Company Limited (BTCL) Role-based Contact: dgm.domain@btcl.gov.bd Abuse Contact: email: dgm.domain@btcl.gov.bd Organization Overview: Bangladesh Telecommunications Company Limited (BTCL) is the state-owned national telecommunications provider of Bangladesh and the official operator of the country code top-level domain (ccTLD) .bd, delegated by IANA and managed under the authority of the Government of Bangladesh. BTCL maintains the authoritative DNS infrastructure for .bd and .বাংলা, ensuring operational stability, DNSSEC deployment, and compliance with global Internet governance standards. Reason for PSL Inclusion BTCL has officially enabled second-level domain registrations directly under .bd (e.g., example.bd) in addition to the existing structured third-level domains (e.g., example.com.bd, example.net.bd). This update ensures that modern Internet infrastructure and hosting services—including browsers, certificate authorities, cPanel, Cloudflare, and Let’s Encrypt—correctly recognize second-level .bd domains as registrable and valid. The previous PSL configuration (*.bd) treated all subdomains as public registrable domains, which caused issues with cookie scope, HTTPS certificate validation, and domain recognition across major platforms. The updated section below accurately represents the .bd namespace and preserves compatibility with both second-level and structured third-level registrations. Proposed .bd Section: // Bangladesh : https://btcl.gov.bd bd com.bd net.bd org.bd edu.bd gov.bd ac.bd mil.bd tv.bd co.bd ai.bd sch.bd id.bd it.bd info.bd Number of users this request is being made to serve: Currently serving approximately 50,000 registered domains under .bd, with continuous growth as BTCL introduces direct second-level registration to encourage local digital presence. Third-party impact: This submission is not intended to circumvent any third-party limits. However, the change will ensure proper functionality for: SSL/TLS certificate issuance (Let’s Encrypt, DigiCert) Hosting providers (cPanel, Plesk, Cloudflare) Browser cookie scope handling (Chrome, Firefox, Safari) Duration of registration: All listed second-level and third-level zones are registry-controlled and maintained with long-term renewals exceeding 2 years. Additional Acknowledgements BTCL confirms: Responsibility for ongoing maintenance of .bd and its subzones. Open communication with PSL maintainers via dgm.domain@btcl.gov.bd. Active abuse reporting channel publicly listed on btclportal.gov.bd Summary This request aligns .bd with other ccTLDs (such as .uk, .in, .jp) that have transitioned to include second-level domain registrations. It enhances domain usability, international compatibility, and DNS integrity across Bangladesh’s national domain space. Submitted by: Deputy General Manager Registry Operator – .bd Domain Bangladesh Telecommunications Company Limited (BTCL) Email: dgm.domain@btcl.gov.bd, joyeetasen06@gmail.com * Update public_suffix_list.dat removed empty line

You'll have to wait this update gets to boulder. It can take a few days (weeks).

orangepizza · October 29, 2025, 12:58pm

github.com/letsencrypt/boulder

policy/pa.go

313ce532a


      
          }
          
          // In these error messages:
          //   253 is the value of maxDNSIdentifierLength
          //   63 is the value of maxLabelLength
          //   10 is the value of maxLabels
          // If these values change, the related error messages should be updated.
          
          var (
          	errNonPublic            = berrors.MalformedError("Domain name does not end with a valid public suffix (TLD)")
          	errICANNTLD             = berrors.MalformedError("Domain name is an ICANN TLD")
          	errPolicyForbidden      = berrors.RejectedIdentifierError("The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy")
          	errInvalidDNSCharacter  = berrors.MalformedError("Domain name contains an invalid character")
          	errNameTooLong          = berrors.MalformedError("Domain name is longer than 253 bytes")
          	errIPAddressInDNS       = berrors.MalformedError("Identifier type is DNS but value is an IP address")
          	errIPInvalid            = berrors.MalformedError("IP address is invalid")
          	errTooManyLabels        = berrors.MalformedError("Domain name has more than 10 labels (parts)")
          	errEmptyIdentifier      = berrors.MalformedError("Identifier value (name) is empty")
          	errNameEndsInDot        = berrors.MalformedError("Domain name ends in a dot")
          	errTooFewLabels         = berrors.MalformedError("Domain name needs at least one dot")
          	errLabelTooShort        = berrors.MalformedError("Domain name can not have two dots in a row")

you sent only .bd as requested domain, not jastation.bd think you client didn't parse tag symbol right: and as it catch there I think it likely have

never mind, old version of publicsuffix-go considered every direct subdomain of bd as public suffix, so it would return same error if it get something.bd or just .bd
you'll need to wait few days as @9peppe said.

Osiris · October 29, 2025, 7:01pm

I think updating the PSL library used by Boulder is a manual thing. First, the Go library used needs an update and afterwards Boulder needs to update its dependency.

So might take some time, might go quicker if we nudge one of the devs

Topic		Replies	Views
Name is an ICANN TLD error *.bn ccTLD Help	6	1719	September 9, 2018
Issue with *.zm TLD Issuance Policy	27	5667	February 10, 2016
Public Suffix List (PSL) update request Issuance Tech	3	1820	December 21, 2016
Cannot issue for "riyadh.ye": Domain name is an ICANN TLD Help	24	2331	March 6, 2021
Missing TLD [xn--4dbrk0ce / .ישראל] Feature Requests	43	3168	January 27, 2023

Trying to generate SSL with .bd domain

Related topics