Certbot with åäö domain?

jojo123 · August 14, 2021, 7:38pm

How do i use certbot on a domain that has åäö characters?

running the certbot gives me:

Non-ASCII domain names not supported.... .... use punycode

but when using punycode with certbot I get:

an unexpected error occured. domain name contains an invalid label in a reserved format (R-LDH: '??--')

How do I solve this?

Osiris · August 14, 2021, 7:39pm

Probably by using proper punycode? Could you please provide the exact domain name you're trying to get a certificate for and the exact command line you're using with the punycode?

jojo123 · August 14, 2021, 7:44pm

bmiräknaren.se

sudo certbot --apache -d xn--bmirknaren-t5a.se

Osiris · August 14, 2021, 7:47pm

I'm not getting any punycode error when I run a certbot command using that domain name. Could you please share the entire certbot output when you run that exact command?

jojo123 · August 14, 2021, 7:50pm

Obtaining a new certificate

An unexpected error occurred:
Error creating new order :: Cannot issue for "nx??--bmirknaren-t5a.se": Domain name contains an invalid character

/var/log/letsencrypt is empty

rg305 · August 14, 2021, 7:54pm

How about wrapped with single quotes?:
sudo certbot --apache -d 'xn--bmirknaren-t5a.se'

And which version of certbot are you using?

jojo123 · August 14, 2021, 7:56pm

Error creating new order :: cannot issue for "nx--bmirknaren-t5a.se: domain name contains an ivalid label in a reserved format (R-LDH: '??--')

jojo123 · August 14, 2021, 7:59pm

single quotes gave me

an unexpected error occured. domain name contains an invalid label in a reserved format (R-LDH: '??--')

but WHOA. typing certbox -v straight after made it go into the setup? it wotks now

rg305 · August 14, 2021, 8:00pm

hmm...
Did you get a renewed cert?

Please show outputs of:
certbot certificates
certbot --version

That is like just typing certbot
[but with added logging]

rg305 · August 14, 2021, 8:06pm

Please switch to staging environment for testing.
There have already been several certs issued for that domain today:
crt.sh | xn--bmirknaren-t5a.se

jojo123 · August 14, 2021, 8:06pm

I cant scroll up in my VPS terminal (or copy from it) but writing cert -v gets me into the certbot cert setup again

found the following certs:
Certificate Name: mydomain.se
....
....
....
Certificate name: xn--bmirknaren-t5a.se
Domains: xn--bmirknaren-t5a.se
Expiry Date: 2021-11-12 18:57:30+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/xn--bmirknaren-t5a.se/fiullchain.pem
Certificate Path: /etc/letsencrypt/live/xn--bmirknaren-t5a.se/privkey.pem

rg305 · August 14, 2021, 8:07pm

NOT certbot -v

jojo123 · August 14, 2021, 8:08pm

oh sorry
0.31.0

rg305 · August 14, 2021, 8:08pm

OK, so you have a cert.
You can stop trying to get another one.
Now you just need to use it

jojo123 · August 14, 2021, 8:09pm

I just found it a bit weird, didnt work as it always does for me

thanks for the help guys

rg305 · August 14, 2021, 8:12pm

Not sure how you got it, nor why that error was shown.
But I think certbot should be able to renew it when the time comes.
If not, you know where to find us! LOL
Cheers from Miami

#FreeCuba

Osiris · August 14, 2021, 8:13pm

I know you already got your certificate working, but this error doesn't make any sense: why would the start of the punycode domain name suddenly become "nx" instead of the corret "xn..."? Did you actually use the correct punycode, i.e.: ASCII? To me it sounds like you got some extra non-ASCII characters somewhere in that command you've tried earlier..

rg305 · August 14, 2021, 8:14pm

How about this test?:
sudo certbot --apache -d 'xn\-\-bmirknaren-t5a.se' --dry-run

Osiris · August 14, 2021, 8:19pm

@rg305 Just run something like certbot certonly --staging --webroot -w /tmp/ -d xn--bmirknaren-t5a.se on your own computer: works just fine except for the obvious authentication error. No need for quotes or escaping the dashes, why would there be? Punycode is just plain ASCII.. If done right, that's the whole idea behind punycode. Maybe Unicode or something else than ASCII gave errors previously, but if you're just using ASCII for the punycode, like one should, it's no issue what so ever.

rg305 · August 14, 2021, 8:25pm

I too ran a similar test on certbot version 0.31.0 without seeing this error message.
This might be more of a copy/paste issue than what meets the
What you see isn't always what is being pasted.

sudo certbot certonly --webroot -w /var/tmp -d 'xn--bmirknaren-t5a.se' --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xn--bmirknaren-t5a.se
Using the webroot path /var/tmp for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. xn--bmirknaren-t5a.se (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://xn--bmirknaren-t5a.se/.well-known/acme-challenge/ced-sICdDVJVad4DXs5PMXdmickPyaBJLD4rJAPj4v4 [95.217.15.208]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xn--bmirknaren-t5a.se
   Type:   unauthorized
   Detail: Invalid response from
   https://xn--bmirknaren-t5a.se/.well-known/acme-challenge/ced-sICdDVJVad4DXs5PMXdmickPyaBJLD4rJAPj4v4
   [95.217.15.208]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

certbot --version
certbot 0.31.0