ACME Plugin in kong with aws-ec2 error message "The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy"

[BThanapon]

Is there an existing issue for this?

• [X] I have searched the existing issues

Kong version ($ kong version)

Kong 3.5.0

Current Behavior

I use aws-ec2 to install kong by docker compose and try to use acme-plugin to get certificate my kong but i set route follow to guild kong manager plugin acme in kong official my service ACME setting

{
  "retries": 5,
  "ca_certificates": null,
  "tls_verify": null,
  "tls_verify_depth": null,
  "client_certificate": null,
  "name": "dummy-service",
  "id": "aa5bffd4-37a9-4744-a1fa-d82cdec10ff1",
  "read_timeout": 60000,
  "host": "127.0.0.1",
  "created_at": 1707806596,
  "updated_at": 1707811664,
  "enabled": true,
  "path": null,
  "port": 65535,
  "connect_timeout": 60000,
  "write_timeout": 60000,
  "tags": null,
  "protocol": "http"
}

my route ACME settimg

{
  "protocols": [
    "http",
    "https"
  ],
  "request_buffering": true,
  "response_buffering": true,
  "regex_priority": 0,
  "https_redirect_status_code": 426,
  "name": "acme-example",
  "paths": [
    "/.well-known/acme-challenge"
  ],
  "id": "eedca4bf-f11e-4341-9bf1-982ed7404cdc",
  "service": {
    "id": "aa5bffd4-37a9-4744-a1fa-d82cdec10ff1"
  },
  "path_handling": "v0",
  "strip_path": true,
  "methods": null,
  "sources": null,
  "created_at": 1707806646,
  "updated_at": 1707806646,
  "tags": [],
  "destinations": null,
  "preserve_host": false,
  "snis": null,
  "headers": null,
  "hosts": null
}

my acme plugin setting

{"id":"8030718b-5581-4a09-9842-b02bb1ed5d34","consumer":null,"service":null,"route":null,"enabled":true,"created_at":1707807570,"updated_at":1707812566,"tags":null,"name":"acme","protocols":["grpc","grpcs","http","https"],"instance_name":"acme","config":{"fail_backoff_minutes":5,"storage_config":{"kong":{},"consul":{"token":null,"kv_path":null,"timeout":null,"port":null,"host":null,"https":false},"shm":{"shm_name":"kong"},"redis":{"ssl":false,"ssl_verify":false,"namespace":"","port":null,"ssl_server_name":null,"host":null,"auth":null,"scan_count":10,"database":null},"vault":{"kv_path":null,"timeout":null,"port":null,"tls_server_name":null,"auth_method":"token","tls_verify":true,"token":null,"auth_path":null,"https":false,"auth_role":null,"host":null,"jwt_path":null}},"domains":["example.com"],"account_key":null,"storage":"kong","eab_hmac_key":null,"preferred_chain":null,"cert_type":"rsa","enable_ipv4_common_name":true,"allow_any_domain":false,"tos_accepted":true,"api_uri":"https://acme-v02.api.letsencrypt.org/directory","account_email":"me@hotmail.com","eab_kid":null,"renew_threshold_days":14,"rsa_key_size":4096}}

everything looking good sanity test it pass
curl http://localhost:8001/acme -d host=example.com -d test_http_challenge_flow=true "message":"sanity test for host example.com passed" but after i use command curl like this curl http://localhost:8001/acme -d host=example.com error like this "message":"failed to update certificate: could not create certificate for host: example.com err: failed to create new order: Error creating new order :: Cannot issue for \"example.com\": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy"

in my docker compose i set

      KONG_ADMIN_GUI_LISTEN: 0.0.0.0:8002, 0.0.0.0:8445 ssl
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-database
      KONG_PG_DATABASE: kong
      KONG_PG_USER: kong
      KONG_SSL: "on"
      KONG_PG_PASSWORD: ${KONG_PG_PASSWORD:-kong}
      KONG_PROXY_LISTEN: 0.0.0.0:8000, 0.0.0.0:8443 ssl
      KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl
      KONG_LUA_SSL_TRUSTED_CERTIFICATE: system

Expected Behavior

how to fix this

[fffonion]

@BThanapon you can't use example.com, it must be a real domain name that you want for certificate.

[BThanapon]

@BThanapon you can't use example.com, it must be a real domain name that you want for certificate.

thank you for reply it. example.com i mean i use domain = ec2-xxx-xxx-xxx.amezon.com it true ? for my opinion my domain is ec2-xxx-xxx-xxx.amezon.com or i will get free domain for resolve the problem ?

[chronolaw]

@fffonion , could give more explanation about it? thanks.

[fffonion]

@BThanapon correct, certain well-known domains are not allowed by let's encrypt to avoid security issue, like google.com or amazon.com etc. You will need another domain.

[BThanapon]

@BThanapon correct, certain well-known domains are not allowed by let's encrypt to avoid security issue, like google.com or amazon.com etc. You will need another domain. Thank you so much for answer my question. i think what wrong with my config.