Try to debug certificate issue for max.ru:
Let's Debug
Error message said it is forbidden by policy, for what policy rule it is forbidden? Whats a sanction applied on it?
Try to debug certificate issue for max.ru:
Let's Debug
Error message said it is forbidden by policy, for what policy rule it is forbidden? Whats a sanction applied on it?
That domain name is related to: OBShchESTVO S OGRANIChENNOY OTVETSTVENNOSTU KOMMUNIKACIONNAYa PLATFORMA
Which appears in the US Sanctions list: Sanctions List Search
Let's Encrypt is under US jurisdiction so cannot issue domains for sanctioned entities. You might try a different Certificate Authority subject to different rules which allows issuing a cert
Thanks for your answer!
I do not want to request a certificate for this domain, but want get clarification about new policy update and pick max.ru for example. There are many entities in sanctioned countries (in Russia particulary) without direct sanctions and glad to see you don't block all of them.
For this case, how do you match these two entities? "OBSHCHESTVO S OGRANICHENNOI OTVETSTVENNOSTYU A1" is a linked to "Alfabank", one of the largest private Russian banks. But "OBShchESTVO S OGRANIChENNOY OTVETSTVENNOSTU KOMMUNIKACIONNAYa PLATFORMA" is linked to VK.com, party-government social platform (as I know, without direct sanctions). I try to search link about two entities and nothing found there.
Please note that prefix "OBSHCHESTVO S OGRANICHENNOI OTVETSTVENNOSTYU" is like "Limited Liability Company"? Many companies in Russia have same "official" prefix (you can ask LLM and it confirm that, it translate Russian perfectly).
Just want to note, if you have any private evidence of link of entities it fine, but not so transparent. Alternatively there may be a bug in your matching engine and classify all with this prefix as sanctioned entitity.
I don't think there's anything new about the policy; Let's Encrypt is not allowed to issue to entities on the U.S. government's naughty list. I don't know how they match up the legal entities with the domain names that are thereby blocked, and it wouldn't shock me if such details were intentionally confidential in order to discourage people trying to work around it. If that specific domain is in fact not associated with a sanctioned entity then maybe it is a mistake of some kind, but I don't know if there exists any sort of appeals process to help figure it out.
And just to be clear, people responding here are just other community members unless they're specifically noted as being "Staff" or the like. I don't know how much Let's Encrypt is even legally allowed to respond to questions like this.
On the 4th of this month the Let's Encrypt subscriber agreement was updated, with new text added relating to sanctions. https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026-diff.pdf
It now says that you're not supposed to use Let's Encrypt if you're tied to a "country or territory that is the target of comprehensive U.S. sanctions".
According to Wikipedia this applies to these regions:
Cuba, Iran, North Korea, Russia, and certain conflict regions of Ukraine.
I would not be surprised if Let's Encrypt banned certain ccTLDs following this subscriber policy change. It would be nice if an employee at Let's Encrypt could confirm/deny.
Sorry for the confusion. It was my mistake at looking at only a partial match.
I see Let's Encrypt issued 10 certs for max.ru and various subdomains on June 6. So, something must have changed recently to prevent one today. Given the TLD I immediately suspected the SDN and too hastily matched above.
There are other policies that can prevent issuance of certs. But, if this isn't your domain the owner would be better served by contacting LE or even reporting it as a problem to the Let's Encrypt Boulder github: GitHub - letsencrypt/boulder at 72a2ea529216f323476234ff27b3e780011683ef · GitHub
Especially since that name was issued very recently.
UPDATE: I didn't see @dextercd post before I posted but I agree
![]()
I would have expected a change of the subscriber agreement to be mentioned in the ISRG email newsletter, or blog, or at least a forum post here. And the only real change is that additional clause about sanctions, hmm? That's… interesting. Between that and the subtle change in their transparency report it makes me rather curious if something interesting involving the feds happened, though. Though there isn't really any evidence for anything beyond a scraped-together conspiracy theory.
The subscriber agreement, both before and after, says this about updates:
In addition, major changes will be flagged with a new Subscriber Agreement version number in the ACME protocol, so You may be able to configure Your ACME Client Software to notify You of such changes.
Are there any ACME clients that implement such a feature?
We have blocked issuance to the domain in question because we concluded that it is ultimately controlled by a sanctioned entity.
This is unrelated to the subscriber agreement update (revision forthcoming), and it’s not related to any ccTLD block. As @petercooperjr previously noted, this is a continuation of compliance policies we have had in place for a long time.
FWIW I think LE has been enforcing US sanctions list for a while now. I don't get the sense of any tangible changes with the latest update.
Hello there! Sorry for creating a fresh account for a complaint...
I would love to humbly you to recall the certificate for the max.ru domain as well if so possible — it's been widely proven to be a spyware messenger app against users in Russia under sanctioned VK Group — https://habr.com/ru/articles/1006666/ (russian source, translator recommended)
humbly ask you*
sorry, can't edit posts yet ![]()
Sorry for adding this info, but I also want to ask not only to forbid issuance of new certificates in future, but also to revoke existing ones for max.ru and its subdomains as fast as possible.
The sanctioned Russian state messenger MAX on this domain was flagged as spyware by Cloudflare due to insecure cross-domain requests and shady data collection. Reports show the app collects geolocation, tracks installed apps, records audio/video, detects VPN usage, and sends detailed data to servers for surveillance (see Novaya Gazeta Europe, Apr 30 2026 and RKS Global analysis).
See:
but we cannot act on it without direction from OFAC, which is the federal agency that administers and enforces U.S. sanctions.
This may seem counterintuitive, but U.S. sanctions law is complex. Terminating a service can itself be a "transaction" with a sanctioned party that requires authorization. We have sought guidance from OFAC on how to handle these situations and must follow the regulatory framework as it applies to us.