Unblock subdomain

When requesting a cert for www.ch.bbc.co.uk

we get

Error: urn:acme:error:rejectedIdentifier :: Error creating new authz :: Policy forbids issuing for name

How do I get .ch.bbc.co.uk whitelisted, whilst preferably leaving the rest of .bbc.co.uk blacklisted?


Hi @jrosser,

Unfortunately our policy operates at the top level domain and we can't make an exception for just a subdomain. It's all or nothing. If you want to pursue seeing "bbc.co.uk" removed it will require action from the part of the registered domain owner. I can send you details in a DM but it is a somewhat involved process since this is a "true positive" in the sense that the "bbc.co.uk" domain is a high value domain and not a permutation of a high value domain.


You could ask Let’s Encrypt to unblock the entire domain, and then use CAA DNS records to control which subdomains Let’s Encrypt can issue for – at least if your DNS servers are modern enough. E.g.:

@   CAA  0 issue "other-ca.com"
ch  CAA  0 issue "other-ca.com"
ch  CAA  0 issue "letsencrypt.org"

(This would also allow Let’s Encrypt to issue certificates for xyz.ch.bbc.co.uk.)

However, CAA isn’t a panacea. As i mentioned above, not all DNS solutions support it yet. And while CAs will be required to check it (though sites will not be required to use it) in September, many don’t yet, and haven’t documented the procedures they’ll use either. So it may be difficult to support every CA you use domain-wide, and some of them may break in the coming months (until you adjust the DNS records again).

Also, it would not entirely fail secure. For example, if someone compromised your DNS servers (and enough of your infrastructure to pass validation, of course), they could just change or delete the CAA records and proceed to issue Let’s Encrypt certificates for www.bbc.co.uk or whatever.

1 Like

Yes, thats essentially what it boils down to.

Having looked across the community pages seems this crops up a lot with small corners of large organisations wanting (and indeed having corporate permission in our case) to use LE on the subdomain we have control over.

I guess I just add my voice to the ones requesting finer grained control of the block list - CAA is basically inverted logic for our use case, but a solution that I seem to be forced into persuing.

1 Like

The primary constraint here is that the block list editing can't be automated. If organizations are contacting us to add/remove individual subdomains as they create them it would be very difficult to scale with our organization size.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.