DNS identifier has too many labels

gassmann88 · March 18, 2024, 9:54pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domains are: locations.client.com.qa.example.com, assets.locations.client.com.qa.example.com, maps.locations.client.com.qa.example.com, rstatic.locations.client.com.qa.example.com

I ran this command:
acme.sh --issue --apache -d locations.client.com.qa.example.com -d assets.locations.client.com.qa.example.com -d rstatic.locations.client.com.qa.example.com -d maps.locations.client.com.qa.example.com

It produced this output:
Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"DNS identifier has too many labels [assets.locations.client.com.qa.example.com]"}

Bruce5051 · March 18, 2024, 10:00pm

Hello @gassmann88, welcome to the Let's Encrypt community.

You may find acme.sh support here GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
And the wiki Home · acmesh-official/acme.sh Wiki · GitHub

orangepizza · March 18, 2024, 11:01pm

Boulders maxlabel limit is 10(hardcoded in pa.go), so if you used exactly that format(it has 7 lables) on Let's encrypt it would been succeeded

gassmann88 · March 18, 2024, 11:25pm

I'm using zero ssl and it has been working up until Friday morning. When using letsencrypt, I seem to be running into an issue with the CA certificate bundle on the server since I'm getting the following error when running:

--server letsencrypt

Please refer to libcurl - Error Codes for error code: 60
== Info: SSL certificate problem: unable to get local issuer certificate
== Info: Closing connection 0

orangepizza · March 19, 2024, 12:13am

what is your server OS?

webprofusion · March 19, 2024, 1:51am

I think this means your local list of CA root certificates is outdated and doesn't include ISRG Root X1.

linkp · March 19, 2024, 3:07am

Yup. I saw it today over in the Cloudflare Community, too. Here is the link I offered there.

gassmann88 · March 19, 2024, 8:58pm

I am using Zero SSL.

Bruce5051 · March 19, 2024, 9:20pm

You might want to check the ZeroSSL forums and their own support.

MikeMcQ · March 19, 2024, 9:24pm

OrangePizza asked what operating system you were using when trying Let's Encrypt.

It likely doesn't have the needed root cert to talk with LE.

If you want to keep using Zero SSL, yeah, this isn't the best forum to ask about that.

mholt · April 12, 2024, 2:45pm

ZeroSSL recently implemented a change to stop spammers, and one of those is to limit their free endpoint to a certain number of domain labels. It was accounting for a significant portion of abuse on their free endpoint.