urn:ietf:params:acme:error:rejectedIdentifier

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ec2-54-219-151-30.us-west-1.compute.amazonaws.com

I ran this command:
sudo ~/.acme.sh/acme.sh --issue -d ec2-54-219-151-30.us-west-1.compute.amazonaws.com --standalone -k ec-256 --force

It produced this output:
[Sat Jan 11 21:59:32 CST 2020] Standalone mode.
[Sat Jan 11 21:59:32 CST 2020] Single domain=‘ec2-54-219-151-30.us-west-1.compute.amazonaws.com
[Sat Jan 11 21:59:32 CST 2020] Getting domain auth token for each domain
[Sat Jan 11 21:59:33 CST 2020] Create new order error. Le_OrderFinalize not found. {
“type”: “urn:ietf:params:acme:error:rejectedIdentifier”,
“detail”: “Error creating new order :: Cannot issue for “ec2-54-219-151-30.us-west-1.compute.amazonaws.com”: The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy”,
“status”: 400
}
[Sat Jan 11 21:59:33 CST 2020] Please add ‘–debug’ or ‘–log’ to check more details.
[Sat Jan 11 21:59:33 CST 2020] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

My web server is (include version):
nginx version: nginx/1.6.2

The operating system my web server runs on is (include version):
Debian GNU/Linux 8 (jessie)

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
admin@ip-172-31-0-161:~$ acme.sh --version


v2.8.4
certbot --version
-su: certbot: command not found
certbot-auto --version
-su: certbot-auto: command not found

By policy, Let’s Encrypt does not allow people to get certificates for generic EC2 hostnames. Mostly because they can change hands far more quickly than certificates expire.

You need to use your own domain name of some sort.

(You can certainly use AWS, EC2, and EC2 IP addresses. You just can’t use the EC2 hostname.)

1 Like

Thanks. I’ll apply one and try…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.