An unexpected error occurred. Please help

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
rururururururururururururururururururururururururururururururu.ru

I ran this command:
certbot certonly -d rururururururururururururururururururururururururururururururu.ru -d *rururururururururururururururururururururururururururururururu.ru --manual --agree-tos --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

It produced this output:
An unexpected error occurred:
The server will not issue certificates for the identifier :: NewOrder request did not include a SAN short enough to fit in CN

My web server is (include version):
Apache2

The operating system my web server runs on is (include version):
Debian 11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

2

Basically what this says. A certificate issued by Let's Encrypt needs to have a domain name which is 64 characters or less, to get put into the CN field of the certificate. The name you're trying to use is too long.

So, you can add another domain that's shorter to the certificate, then that certificate will have a name that can fit. Or, you might be able to use some other CA, but I don't know if there are any free ones using ACME that support not having a CN, but there might be.

4 Likes
3

According to the rules of any registrar, the length of a domain name should not exceed 63 characters (without a domain zone).
And any registrar registers names with a maximum of 63 characters (without a domain zone).
My domain name contains 62 characters.

I think if Let'sencrypt can't issue certificates for domains that any registrar registers, then this is a bug that needs to be fixed.

I hope they fix this ASAP.

4

Please see DNS-01 challenge of the Challenge Types - Let's Encrypt
You are trying to do a wildcard domain name Wildcard DNS record - Wikipedia but that is NOT what you specified. You have *<domain name> not *.<domain name>

1 Like
5

Thank you very much.
I really missed the point when I was typing this post.
But, this does not solve the problem.
When I gave a command to the certbot, I typed it without error.
It looks like the problem is an incorrect limit of Letsencript.

1 Like
6

The total length of your hostname is 65 characters. Which is too long.

5 Likes
7

Or Certbot?

8

No, the error is from the Let's Encrypt ACME API, not from Certbot.

5 Likes
9

According to the rules of any registrar, the length of a domain name should not exceed 63 characters (without a domain zone !!!).
Mine is 62 characters without a domain zone.

May be.

10

The restriction is on the Common Name (CN) field in the cert itself. It cannot be longer than 64 characters. This is dictated by industry standard.

You can read this page about it by DigiCert (another CA):
https://docs.digicert.com/en/certcentral/manage-certificates/public-certificates---data-entries-that-violate-industry-standards.html#idm45120359560224

4 Likes
11

That's all fine, but there are also other rules, such as the rules for certificates. While the common name might be deprecated, if it's used the length is capped to 64 characters (see ub-common-name-length).

So while DNS might allow more, the rules for certs don't. See e.g. Fraser's IdM Blog - Implications of Common Name deprecation for Dogtag and FreeIPA.

5 Likes
12

Let’s Encrypt currently always puts a domain in the CN field, which is limited to 64 characters. As you’ve run into, this can be a problem.

You can have additional domain names that are longer, but there has to be at least one short enough to fit in the CN.

In the future we plan to offer certificates without CNs, but they have some compatibility hazards that we want to make sure we fully understand the implications of.

6 Likes
13

Thanks to everyone who helped me understand what the problem is.
As I understand it, it's all about outdated standards that do not correspond to today's reality.

I hope that this problem will be solved in the near future.

2 Likes
14

Note that there are some other ~free ACME CAs, like BuyPass and ZeroSSL, which will happily issue certificates for very long domains.

Those CAs do not force the presence of a CN in the certificate and are unaffected by the restriction, potential compatibility pitfalls notwithstanding.

Example BuyPass certificate 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:fa:a7:89:9b:4d:22:ea:8b:76:8c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 CA 5
        Validity
            Not Before: Feb 18 22:26:55 2023 GMT
            Not After : Aug 16 21:59:00 2023 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:3d:68:2a:b8:82:cd:06:16:3e:eb:47:f1:3a:e7:
                    ed:d4:e5:68:76:c9:f8:d1:ce:f8:07:62:04:4e:d0:
                    77:d8:f4:ce:f6:d7:00:47:75:53:85:d6:16:c6:25:
                    77:f3:89:76:28:73:3f:bb:05:3a:3e:49:da:db:31:
                    f6:4b:ee:d1:22
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:27:52:A4:6F:2D:2A:AB:40:93:90:EC:D6:69:CB:FE:7C:61:3B:7C:42

            X509v3 Subject Key Identifier: 
                F9:19:C7:04:07:B0:25:8C:49:98:A5:4B:5F:39:3C:F6:AB:84:8F:42
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 2.16.578.1.26.1.2.7
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points: 

                Full Name:
                URI:http://crl.buypass.no/crl/BPClass2CA5.crl

            X509v3 Subject Alternative Name: critical
                DNS:rururururururururururururururururururururururururururururururu.zorin.au
            Authority Information Access: 
                OCSP - URI:http://ocsp.buypass.com
                CA Issuers - URI:http://crt.buypass.no/crt/BPClass2CA5.cer

            1.3.6.1.4.1.11129.2.4.2: 
                ......w..>..>..52.W(..k......k..i.w}m..n....f.6......H0F.!....p,-./...._u...P...y..qI.....B.!...t....yR
.}.!..pe...z...G...,.e.u.z2.T..-. .8.R....p2..M;.+.:W.R.R....f.47.....F0D. 6..A...Wk..?.....q:.{7.g.~G.l..q. .X.j'..R|O.L4%.6.yl....~..:....-
    Signature Algorithm: sha256WithRSAEncryption
        87:e7:5b:e4:48:c4:e0:f8:d7:04:dd:42:6a:f1:4f:dd:cf:2e:
        76:f7:95:86:8d:0b:b6:96:ab:d5:be:da:ef:f2:a2:e5:cb:2d:
        c1:a0:e1:1e:97:21:e5:7e:ae:9d:b2:f2:87:15:d8:87:d4:1c:
        b5:a6:cc:72:93:d7:32:98:d8:fa:07:a7:ea:67:a2:68:0f:ae:
        56:53:91:c0:d8:e3:25:3c:c6:ac:48:cd:94:12:74:0a:1f:f2:
        fc:bd:46:64:55:c4:a2:51:d8:2d:da:2d:ee:f7:b0:5c:e0:5b:
        87:41:72:14:fa:ff:9b:09:b6:5c:d8:61:bd:1c:61:27:1e:5f:
        8e:9e:0a:e8:0a:45:62:63:9a:92:f4:c4:57:ef:7b:ef:91:e4:
        0c:78:0b:39:73:a2:6f:1f:cb:d9:35:b3:05:62:23:9f:13:f8:
        48:66:f4:fa:95:32:12:b8:74:f2:e3:f8:5a:c6:73:33:fe:89:
        e2:08:a6:ff:aa:5a:55:32:4a:ed:5d:23:cf:83:cb:66:13:f1:
        4d:04:db:e8:b3:a4:89:43:8a:76:a1:e8:c1:ec:56:ad:9e:1e:
        50:af:d6:6c:d2:1b:8a:af:93:48:23:72:fe:6d:7a:cc:53:c1:
        da:fe:24:c4:a1:e6:81:8b:6b:a0:16:48:d2:b3:bd:53:4a:58:
        ec:10:8d:ab:73:b3:45:20:5b:98:6d:0b:d5:bb:f2:e0:23:a1:
        6b:c4:b8:55:8a:0d:09:9d:76:0f:83:81:08:22:a9:b9:de:4a:
        04:26:28:d7:91:ae:d3:a6:99:71:56:9c:b9:00:52:f9:59:8c:
        36:4c:ef:19:b3:f7:06:3f:aa:16:55:a5:fb:03:a6:02:92:08:
        9d:b1:d4:7c:e0:48:11:ac:6a:b6:3f:ff:b2:2d:54:62:26:0c:
        ce:21:20:de:73:45:5a:25:00:f5:cd:d5:80:67:d8:eb:0b:a7:
        68:e8:5e:45:0c:0a:86:9c:e1:1b:a9:87:80:3b:d4:12:78:c8:
        b2:91:65:fb:fb:43:d8:94:5e:f5:eb:f3:9f:30:a6:cb:4f:51:
        ad:0d:c5:03:d6:98:03:b1:a6:97:aa:42:cb:be:f4:46:f7:6b:
        f4:c3:7c:76:e0:db:4d:6e:ae:18:df:51:d9:6b:d9:48:2b:01:
        99:64:b9:2c:5b:4e:6c:6c:4d:cf:33:7d:c6:0a:9c:63:16:82:
        8e:e4:75:6b:24:e0:f2:18:48:a7:4f:e1:c0:dc:d4:69:16:d8:
        d7:b4:a5:8e:1c:27:8a:45:f7:b7:cc:b1:e6:47:09:a2:88:5b:
        40:b4:14:05:d6:12:1f:ca:48:c1:b9:be:48:18:b5:8f:d2:e1:
        aa:e8:26:8e:e2:85:cb:c4
Example ZeroSSL certificate 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:25:2f:75:c2:f6:3a:04:35:85:29:ce:78:0a:b1:0a
    Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=AT, O=ZeroSSL, CN=ZeroSSL ECC Domain Secure Site CA
        Validity
            Not Before: Feb 18 00:00:00 2023 GMT
            Not After : May 19 23:59:59 2023 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:f8:5a:0e:e7:1b:3d:7c:eb:21:7a:08:08:db:60:
                    8b:75:11:a7:9e:3a:fa:c4:40:13:ae:c5:f4:48:36:
                    a8:b7:71:cf:cb:27:99:17:2d:40:af:43:61:3b:11:
                    f2:75:71:e7:2c:5f:24:2f:52:41:f0:c5:31:da:05:
                    42:d4:23:c1:4c
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:0F:6B:E6:4B:CE:39:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3

            X509v3 Subject Key Identifier: 
                1E:8D:3D:BB:11:00:51:42:CF:A0:A6:6F:37:D4:85:DE:19:0B:C6:67
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.78
                CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.2.1

            Authority Information Access: 
                CA Issuers - URI:http://zerossl.crt.sectigo.com/ZeroSSLECCDomainSecureSiteCA.crt
                OCSP - URI:http://zerossl.ocsp.sectigo.com

            1.3.6.1.4.1.11129.2.4.2: 
                ......v.....|.....=..>.j.g)]...$...4........f..q.....G0E. (.V.a.6...Oxn.....YV..<?..3......!...2_.4).~...q'a&....>.U.^...a..8.u.z2.T..-. .8.R....p2..M;.+.:W.R.R....f..w.....F0D. .l...WQV}@......~..F....;d.pn.... EI./..7.=.N.^....<.{5:>..6e.9.(r
            X509v3 Subject Alternative Name: critical
                DNS:rururururururururururururururururururururururururururururururu.zorin.au
    Signature Algorithm: ecdsa-with-SHA384
        30:66:02:31:00:f3:61:db:08:e6:21:08:79:f1:2f:58:aa:be:
        48:37:7c:33:b5:ab:8b:5f:e4:45:e9:70:1f:11:ae:fc:81:b4:
        9c:18:17:2b:92:2f:81:4b:ea:d6:10:5a:7b:62:e0:d7:91:02:
        31:00:bb:4d:a8:c9:77:4a:93:f7:7f:c3:2f:d5:d4:2d:5f:45:
        2e:0f:de:49:99:63:33:10:84:25:85:4d:d9:fa:3b:11:d0:3c:
        ae:4c:9d:30:e0:73:79:23:56:ef:46:55:c4:4b
6 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.