Attempting to generate cert, getting "UnicodeError: encoding with 'idna' codec failed"

My domain is: api.nais.org

I ran this command:

certbot certonly --agree-tos --email myemail@gmail.com --webroot -w /var/lib/letsencrypt/ -d api.nais.org

It produced this output:

2018-05-11 16:52:10,369:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/reg/34795080 HTTP/1.1" 202 658
2018-05-11 16:52:10,370:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 658
Boulder-Requester: 34795080
Link: <https://acme-v01.api.letsencrypt.org/acme/new-authz>;rel="next", <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"
Replay-Nonce: ElgNu8wfpAQ5IX1CITyFR5mlgIsavV1k-urmT6-RC2k
Expires: Fri, 11 May 2018 16:52:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 11 May 2018 16:52:10 GMT
Connection: keep-alive

b'{\n  "id": 34795080,\n  "key": {\n    "kty": "RSA",\n    "n": "tIG4lSXihMmyhOND2ZkfoOzSICmx7PamI_jfUEGT3GeZBcnAZTLeILL0I26xWBqJuQk4lH9ti3f8EeRW51jegKSidyVQdfKP-GE4bIdc2PLkt8gRDL2W988nJ1hFqKegnphREiZYLc6nGjn8ygcmleddkI4amih1aaGdLUhaIw6FTSPWc6ZkVCoSE-RxO9V44XhXPqnTCfhLvXCejyX_RVEClMjhDWsNSbmjG0uyJSo2GvPGOI96uG0z98XV7SgxKmWoFwUF1r2a6y-VClFaHrQvJpIALWKByD1lI2Fu42oVXx1oInI6cHjDM-rMM933LkOpozwzphda6imOWpJEIQ",\n    "e": "AQAB"\n  },\n  "contact": [\n    "mailto:myemail@gmail.com"\n  ],\n  "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",\n  "initialIp": "165.227.28.242",\n  "createdAt": "2018-05-11T16:52:10Z",\n  "status": "valid"\n}'
2018-05-11 16:52:10,370:DEBUG:acme.client:Storing nonce: ElgNu8wfpAQ5IX1CITyFR5mlgIsavV1k-urmT6-RC2k
2018-05-11 16:52:10,371:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3.6/encodings/idna.py", line 167, in encode
    raise UnicodeError("label too long")
UnicodeError: label too long

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.23.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1266, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1141, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 635, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 514, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 168, in register
    acc = account.Account(regr, key)
  File "/usr/lib/python3/dist-packages/certbot/account.py", line 57, in __init__
    creation_host=socket.getfqdn()) if meta is None else meta
  File "/usr/lib/python3.6/socket.py", line 673, in getfqdn
    hostname, aliases, ipaddrs = gethostbyaddr(name)
UnicodeError: encoding with 'idna' codec failed (UnicodeError: label too long)
2018-05-11 16:52:10,372:ERROR:certbot.log:An unexpected error occurred:

My web server is (include version):
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18

My hosting provider, if applicable, is:
Digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Hi @stephaniewilkinson,

This is an unusual error which I don’t think we’ve come across before. Could you please help me understand more about why this is happening?

Probably seeing the output from running this command would help:

python3 -c 'import socket; print(socket.getfqdn())'

If that shows an error too, maybe you could run

python2 -c 'import socket; print(socket.getfqdn())'

and if that shows an error too, maybe you could run

hostname

Thanks for helping!

When I run:
$ python3 -c 'import socket; print(socket.getfqdn())'

The output is:

Traceback (most recent call last):
  File "/usr/lib/python3.6/encodings/idna.py", line 167, in encode
    raise UnicodeError("label too long")
UnicodeError: label too long
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3.6/socket.py", line 673, in getfqdn
    hostname, aliases, ipaddrs = gethostbyaddr(name)
UnicodeError: encoding with 'idna' codec failed (UnicodeError: label too long)

When I run:
python2 -c 'import socket; print(socket.getfqdn())'

The output is:
ruby-rails-s-1vcpu-1gb-sfo2-01-1525916611287-s-2vcpu-4gb-sfo2-01.localdomain

When I run:
hostname

The output is:
ruby-rails-s-1vcpu-1gb-sfo2-01-1525916611287-s-2vcpu-4gb-sfo2-01

Thanks!

So, there are some Internet standards that say that the longest allowable label in a DNS name is 63 bytes. Your hostname ruby-rails-s-1vcpu-1gb-sfo2-01-1525916611287-s-2vcpu-4gb-sfo2-01 is 64 bytes.

This wouldn’t directly bother Certbot (and wouldn’t bother Let’s Encrypt if you’re not literally trying to get a certificate covering that name), but it looks like some of Python 3’s internal logic crashes when asked to deal with hostnames that are longer than 63 bytes.

We’ll probably need to discuss whether we want to ask the Python developers to change this or whether we want to change the particular function that we call here. In the meantime, you could work around this by

  • changing your system’s hostname so that it’s less than 64 bytes long
  • running Certbot with Python 2 rather than Python 3 (maybe edit /usr/bin/certbot so that it starts with #!/usr/bin/python2 instead of #!/usr/bin/python3?)
  • editing the Certbot code on your system so that it uses some other value for your local host name here
  • using a different Let’s Encrypt client rather than Certbot

Those are all the options that I can think of for the moment. :slight_smile:

2 Likes

Thanks for those ideas!

Let’s encrypt is now rate limiting me because of too many attempts :expressionless:

Which rate limit message do you see?

An unexpected error occurred:
There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/

I still have yet to install a cert though:

https://crt.sh/?q=api.nais.org

image

I’m sorry that this bug has triggered that limit. The limit in question will reset in three hours (probably starting from the time of your first unsuccessful attempt).

Good to know! The docs said a week, so i was a little worried. Thanks for your help! I’m going to try renaming my domain first. (I tried rolling back python but it required an old version (‘certbot==0.23.0’) that I didn’t have.

For anyone else who is having this problem, here are steps to fix it:

$ hostname

will give you your hostname

$ hostname new-hostname

will reset your hostname so you can make it shorter, and try certbot again.

1 Like

Note that changes made by hostname aren't saved permanently. It will be reset next time you reboot.

The hostname is stored in /etc/hostname, but it can be managed dynamically and overwritten by any number of things, like the DHCP client or cloud-init.

I’ve also created an issue at

to track Certbot’s response to this issue, although I’m not sure how high a priority it will be.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.