Can't generate certificate

Hello. I'm trying to issue certificate for S3 bucket.
My domain name is CNAME for cloud provider's domain.
Unfortunately I have limited access to provider's logs, so I can not actualy tell what's the problem.
Is it possible to help me somehow in this situation?

My domain is:
8c84b763.aktega.host

The only log I have is:
"Error:Field validation for 'Domain' failed on the 'hostname' tag""

Any clue would be higly appreciated.

More answers to the questions on the form would be helpful. Especially the ones that asked how you tried to get the cert, the actual command or panel used, the versions of those and your O/S.

Are you trying to get a cert for an AWS S3 bucket? If so, please provide more details. Because the best way would probably be to use CloudFront with your custom domain name and have the S3 bucket be an Origin server to CloudFront

====================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes

Thanks for reply and sorry for not comming back immediately.
I requested detalisation from my cloud provider.
It's not AWS.
Now I know my provider uses custom LE cliet, so I can't give much details.
I realized that problem was with my domain.
It's 8c84b763.aktega.host.

Can anyone tell what restrictions have LE for domain name?
Does it check hostname against RFC 1123 or RFC 952 or neither?
Can I generate certificate for domain that starts with digit?

Thank you.

1 Like

It follows the Baseline Requirements that all CAs have to follow. I don't know the chapter and verse for hostname validation offhand, but your name doesn't look weird at all to me. (The only issues people usually deal with here that I've seen relating to hostname validation involve underscores, consecutive hyphens in the wrong places, or being too long.)

Yes.

You're going to need to get more details from your provider on what the problem is. The error message you showed isn't from Let's Encrypt directly. Perhaps their custom integration has additional hostname validation rules.

6 Likes

Please see Domain name contains invalid character - #9 by Bruce5051

Domain Name need to begin with at letter, yours starts with a digit.

<domain> ::= <subdomain> | " "

<subdomain> ::= <label> | <subdomain> "." <label>

<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]

<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>

<let-dig-hyp> ::= <let-dig> | "-"

<let-dig> ::= <letter> | <digit>

<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case

<digit> ::= any one of the ten digits 0 through 9
1 Like

Well @Bruce5051, that was the original question being asked, if the RFC 952 rules were being used that forbid a beginning number, or if the RFC 1123 update to those rules allowing it. I'm pretty sure that Let's Encrypt allows for a beginning number, given that 2600.com and other all-numeric names use Let's Encrypt just fine.

4 Likes

Thanks @petercooperjr ; all good information! :slight_smile:
The thing about RFC 1123 update I don't like is that it does not specify things like the "-" usage, and that there is no underscore (i.e _ ) allowed.

2 Likes

From here https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf

Domain Label: From RFC 8499 (http://tools.ietf.org/html/rfc8499): β€œAn ordered list of zero or more
octets that makes up a portion of a domain name. Using graph theory, a label identifies one node
in a portion of the graph of all possible domain names.”

Domain Name: An ordered list of one or more Domain Labels assigned to a node in the Domain
Name System.

And RFC 8499 - DNS Terminology and RFC 2181 - Clarifications to the DNS Specification are referenced.

I have yet to find a precise answer to the OP's question, but I feel @petercooperjr advices is sound.

2 Likes

Here is what I find using nslookup and authoritative name servers from the SOA of each domain.

$ nslookup -q=any 8c84b763.aktega.host ns1.aktega.io.
Server:         ns1.aktega.io.
Address:        87.239.110.119#53

8c84b763.aktega.host    canonical name = 8c84b763.hb.bizmrg.com.
$ nslookup -q=any 8c84b763.hb.bizmrg.com ns1.mail.ru.
Server:         ns1.mail.ru.
Address:        217.69.139.112#53

8c84b763.hb.bizmrg.com  canonical name = hb.bizmrg.com.
$ nslookup -q=any hb.bizmrg.com ns1.mail.ru.
Server:         ns1.mail.ru.
Address:        217.69.139.112#53

Name:   hb.bizmrg.com
Address: 95.163.53.117
2 Likes

Using the HTTP-01 challenge of the Challenge Types - Let's Encrypt with the online tool Let's Debug yields these results https://letsdebug.net/8c84b763.aktega.host/1479480

All OK!
OK

No issues were found with 8c84b763.aktega.host. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

And if you are using the DNS-01 challenge of the Challenge Types - Let's Encrypt with the online tool Let's Debug yields these results https://letsdebug.net/8c84b763.aktega.host/1479484

All OK!
OK

No issues were found with 8c84b763.aktega.host. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

Using the online tool https://unboundtest.com/
for CAA Record https://unboundtest.com/m/CAA/8c84b763.aktega.host/JZYVVHYE

Query results for CAA 8c84b763.aktega.host

Response:
;; opcode: QUERY, status: NOERROR, id: 38621
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;8c84b763.aktega.host.	IN	 CAA

;; ANSWER SECTION:
8c84b763.aktega.host.	0	IN	CNAME	8c84b763.hb.bizmrg.com.
8c84b763.hb.bizmrg.com.	0	IN	CNAME	hb.bizmrg.com.

;; AUTHORITY SECTION:
bizmrg.com.	0	IN	SOA	ns1.mail.ru. hostmaster.mail.ru. 3473028284 300 900 1209600 300

----- Unbound logs -----
May 13 23:46:37 unbound[302563:0] notice: init module 0: validator
May 13 23:46:37 unbound[302563:0] notice: init module 1: iterator
May 13 23:46:37 unbound[302563:0] info: start of service (unbound 1.16.3).

for A Record https://unboundtest.com/m/A/8c84b763.aktega.host/24UC2J4Q

Query results for A 8c84b763.aktega.host

Response:
;; opcode: QUERY, status: NOERROR, id: 55291
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;8c84b763.aktega.host.	IN	 A

;; ANSWER SECTION:
8c84b763.aktega.host.	0	IN	CNAME	8c84b763.hb.bizmrg.com.
8c84b763.hb.bizmrg.com.	0	IN	CNAME	hb.bizmrg.com.
hb.bizmrg.com.	0	IN	A	95.163.53.117

----- Unbound logs -----
May 13 23:47:23 unbound[302564:0] notice: init module 0: validator
May 13 23:47:23 unbound[302564:0] notice: init module 1: iterator
May 13 23:47:23 unbound[302564:0] info: start of service (unbound 1.16.3).

for AAAA Record https://unboundtest.com/m/AAAA/8c84b763.aktega.host/POBWWOM5

Query results for AAAA 8c84b763.aktega.host

Response:
;; opcode: QUERY, status: NOERROR, id: 50655
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;8c84b763.aktega.host.	IN	 AAAA

;; ANSWER SECTION:
8c84b763.aktega.host.	0	IN	CNAME	8c84b763.hb.bizmrg.com.
8c84b763.hb.bizmrg.com.	0	IN	CNAME	hb.bizmrg.com.

;; AUTHORITY SECTION:
bizmrg.com.	0	IN	SOA	ns1.mail.ru. hostmaster.mail.ru. 3473028284 300 900 1209600 300

----- Unbound logs -----
May 13 23:48:05 unbound[302566:0] notice: init module 0: validator
May 13 23:48:05 unbound[302566:0] notice: init module 1: iterator
May 13 23:48:06 unbound[302566:0] info: start of service (unbound 1.16.3).

for TXT Record https://unboundtest.com/m/TXT/_acme-challenge.8c84b763.aktega.host/WP7CHNJC

Query results for TXT _acme-challenge.8c84b763.aktega.host

Response:
;; opcode: QUERY, status: NXDOMAIN, id: 49699
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.8c84b763.aktega.host.	IN	 TXT

;; AUTHORITY SECTION:
aktega.host.	0	IN	SOA	ns1.aktega.io. aktega.io. 29 10800 3600 604800 3600

----- Unbound logs -----
May 13 23:48:54 unbound[302569:0] notice: init module 0: validator
May 13 23:48:54 unbound[302569:0] notice: init module 1: iterator
May 13 23:48:54 unbound[302569:0] info: start of service (unbound 1.16.3).
1 Like

And using this online tool SSL Checker yields these results https://decoder.link/sslchecker/8c84b763.aktega.host/443

Common Name: 	*.bizmrg.com
SANs: 	
                DNS:*.bizmrg.com
                DNS:*.hb.bizmrg.com
                DNS:*.ib.bizmrg.com
                DNS:bizmrg.com 
                Total number of SANs: 4

You do not have the domain name 8c84b763.aktega.host in the SANs for the certificate presently being served.

2 Likes

Yes, you are right. This error is from my provider. It validates domain against RFC 952.
Thank you for the link and for the whole answer.

Thanks to everyone who tried to help.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.