Chinese IDN Issurance Requests Malformed?

Issuance Tech
1

Question: The domain Prefix “.xn–fiqs8s” (The Punycode Form of .中国) is already included in the PSL, Why “Name does not end in a public suffix” ?

[Sat Oct 22 02:49:03 EDT 2016] Getting new-authz for domain='wangqiliang.xn--fiqs8s'
[Sat Oct 22 02:49:03 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:49:03 EDT 2016] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "wangqiliang.xn--fiqs8s"}}'
[Sat Oct 22 02:49:03 EDT 2016] RSA key
[Sat Oct 22 02:49:04 EDT 2016] GET
[Sat Oct 22 02:49:04 EDT 2016] url='https://acme-v01.api.letsencrypt.org/directory'
[Sat Oct 22 02:49:04 EDT 2016] timeout
[Sat Oct 22 02:49:04 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:49:05 EDT 2016] ret='0'
[Sat Oct 22 02:49:05 EDT 2016] POST
[Sat Oct 22 02:49:05 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:49:05 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:49:05 EDT 2016] _ret='0'
[Sat Oct 22 02:49:05 EDT 2016] code='400'
[Sat Oct 22 02:49:05 EDT 2016] new-authz error: {"type":"urn:acme:error:malformed","detail":"Name does not end in a public suffix","status": 400}
2

and, If I change “.xn–fiqs8s” to “.中国”, it reports a “Invaild Chracters” error.

[Sat Oct 22 02:54:09 EDT 2016] Getting new-authz for domain='wangqiliang.中国'
[Sat Oct 22 02:54:09 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:54:09 EDT 2016] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "wangqiliang.中国"}}'
[Sat Oct 22 02:54:09 EDT 2016] RSA key
[Sat Oct 22 02:54:10 EDT 2016] GET
[Sat Oct 22 02:54:10 EDT 2016] url='https://acme-v01.api.letsencrypt.org/directory'
[Sat Oct 22 02:54:10 EDT 2016] timeout
[Sat Oct 22 02:54:10 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:54:10 EDT 2016] ret='0'
[Sat Oct 22 02:54:10 EDT 2016] POST
[Sat Oct 22 02:54:10 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:54:10 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:54:11 EDT 2016] _ret='0'
[Sat Oct 22 02:54:11 EDT 2016] code='400'
[Sat Oct 22 02:54:11 EDT 2016] new-authz error: {"type":"urn:acme:error:malformed","detail":"Invalid character in DNS name","status": 400}
3

I have the same problem with a .xn–e1a4c domain (punycode for .ею).
This seems to be a general IDN TLD issue.

4

I believe this is a bug caused by the code responsible for checking that a domain ends in a public suffix expecting the domain to be encoded in unicode, while it’s currently being provided as punycode.

I’ve filed an issue here as well as a potential fix, but it’ll probably take at least until Thursday or Friday for this to be deployed (assuming the fix is adequate and will be reviewed and merged in time). (This is a guesstimate based on the typical release schedule, nothing more. :wink:)

5

Update on this: We have a plan to fix this in Boulder, and are getting some help from the maintainer of an upstream component. It will take a few weeks to fix. Thanks for reporting!

7

Sorry for commenting in a closed thread, but I just wanted to point out that this fix was deployed successfully today and people are now able to get certificates for these IDNs. Thanks to everyone who made that happen!