Question: The domain Prefix “.xn–fiqs8s” (The Punycode Form of .中国) is already included in the PSL, Why “Name does not end in a public suffix” ?
[Sat Oct 22 02:49:03 EDT 2016] Getting new-authz for domain='wangqiliang.xn--fiqs8s'
[Sat Oct 22 02:49:03 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:49:03 EDT 2016] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "wangqiliang.xn--fiqs8s"}}'
[Sat Oct 22 02:49:03 EDT 2016] RSA key
[Sat Oct 22 02:49:04 EDT 2016] GET
[Sat Oct 22 02:49:04 EDT 2016] url='https://acme-v01.api.letsencrypt.org/directory'
[Sat Oct 22 02:49:04 EDT 2016] timeout
[Sat Oct 22 02:49:04 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:49:05 EDT 2016] ret='0'
[Sat Oct 22 02:49:05 EDT 2016] POST
[Sat Oct 22 02:49:05 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:49:05 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:49:05 EDT 2016] _ret='0'
[Sat Oct 22 02:49:05 EDT 2016] code='400'
[Sat Oct 22 02:49:05 EDT 2016] new-authz error: {"type":"urn:acme:error:malformed","detail":"Name does not end in a public suffix","status": 400}
and, If I change “.xn–fiqs8s” to “.中国”, it reports a “Invaild Chracters” error.
[Sat Oct 22 02:54:09 EDT 2016] Getting new-authz for domain='wangqiliang.中国'
[Sat Oct 22 02:54:09 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:54:09 EDT 2016] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "wangqiliang.中国"}}'
[Sat Oct 22 02:54:09 EDT 2016] RSA key
[Sat Oct 22 02:54:10 EDT 2016] GET
[Sat Oct 22 02:54:10 EDT 2016] url='https://acme-v01.api.letsencrypt.org/directory'
[Sat Oct 22 02:54:10 EDT 2016] timeout
[Sat Oct 22 02:54:10 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:54:10 EDT 2016] ret='0'
[Sat Oct 22 02:54:10 EDT 2016] POST
[Sat Oct 22 02:54:10 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:54:10 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:54:11 EDT 2016] _ret='0'
[Sat Oct 22 02:54:11 EDT 2016] code='400'
[Sat Oct 22 02:54:11 EDT 2016] new-authz error: {"type":"urn:acme:error:malformed","detail":"Invalid character in DNS name","status": 400}
TheD
October 22, 2016, 12:16pm
3
I have the same problem with a .xn–e1a4c domain (punycode for .ею).
pfg
October 22, 2016, 12:54pm
4
I believe this is a bug caused by the code responsible for checking that a domain ends in a public suffix expecting the domain to be encoded in unicode, while it’s currently being provided as punycode.
I’ve filed an issue here as well as a potential fix , but it’ll probably take at least until Thursday or Friday for this to be deployed (assuming the fix is adequate and will be reviewed and merged in time). (This is a guesstimate based on the typical release schedule, nothing more.
4 Likes
jsha
November 2, 2016, 12:10am
5
Update on this: We have a plan to fix this in Boulder, and are getting some help from the maintainer of an upstream component. It will take a few weeks to fix. Thanks for reporting!
1 Like
system
December 2, 2016, 12:10am
6
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
schoen
December 8, 2016, 11:12pm
7
Sorry for commenting in a closed thread, but I just wanted to point out that this fix was deployed successfully today and people are now able to get certificates for these IDNs. Thanks to everyone who made that happen!
1 Like
)