Wildcard cert for domain in PSL

My domain is: js.org

I ran this command: acme.sh --issue --dns dns_cf -d "*.js.org" --force

It produced this output: Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"Invalid DNS identifier [*.js.org]"}

My web server is (include version): apache 2.4.52

The operating system my web server runs on is (include version): linux 2.6.32-954.3.5.lve1.4.82.el6.x86_64

My hosting provider, if applicable, is: namecheap

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): 94.0 (build 23)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh v3.0.2

js.org is on the public suffix list, but in the private section. According to this Wildcard certificates and Public Suffix List - Issuance Policy - Let's Encrypt Community Support (letsencrypt.org) this shouldn't be a problem.

1 Like

Please don't use options like --force if you don't know what it does. It won't magically make an error message go away.


but --staging worked without problems

And how would the --force option help you with that?

Are you actually requesting a Let's Encrypt certificate, or the default CA which is ZeroSSL in case of acme.sh?

Note that ZeroSSL does not have a staging environment of its own, so when requesting a certificate from the default CA ZeroSSL, acme.sh will use the Let's Encrypt staging environment when using the --staging option.. Yes, confusing, I know..


Yes that was the problem it used "zerossl" and not "letsencrypt". While staging propably "letsencrypt_test". I just got it working. Sorry for taking your time.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.