Domain name contains an invalid character

Hi all,

I am getting the error message "Domain name contains an invalid character" upon certificate renewal. I don't think theres an invalid character in the domain name - especially because this used to work for months without any change. But suddenly, it stopped working properly. I have no idea how to investigate this. Can someone help?

Kind regards,

Jan

My domain is: Kilian-schilder.firewall-gateway.de

I ran this command: unknown, as the command was issued through the software "David" by Tobit Software

It produced this output:

Error: Error order certificate
StatusCode: 500
Description: Failed to create challenge
Reason: Invalid identifiers requested :: Cannot issue for Kilian-schilder.firewall-gateway.de: Domain name contains an invalid character

My web server is (include version): David

The operating system my web server runs on is (include version): Windows Server 2019 (v1809)

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): David

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): -

Are you sure this is using Let's Encrypt as the CA? My guess would be there's a hidden space in the domain identifier being submitted.

Hm, at least I configured it to use Let's encrypt. The thing that baffles me is that it used to work for several months now. And I haven't touched the configuration at all.

There is a relevant looking recent change in Boulder (the CA software used by LE): wfe: check well-formedness of requested names early by jsha · Pull Request #7530 · letsencrypt/boulder · GitHub but I dont know if that's been released or if it has anything that would cause this.

That's an excellent observation!

I looked into the topic of well-formed domain names. While the regulation has no strict rule for the case sensivity, I noticed that the first "K" in the domain is written in uppercase in the error message. I have now changed that to a lowercase "k" and it instantly worked.

Thank you so much for your effort!

Great! The casing shouldn't matter but if it's working now then it's all good. I actually don't know what Let's Encrypt would do if you submitted an order for a non-lowercase domain identifier, I'd have assumed it would trim and lowercase any input.

Maybe it was a Cyrillic K?

Possible, but I doubt it as I have entered it manually (german keyboard).

Hi, just fyi there I think something significant did change somewhere around June 13. I have two customers that suddenly started seeing these invalid characters error. Both of them had their hostname set for uppercase laters, so their domain would look something like this: AAAA.example.com

I had them change their hostname to lowercase and the cert renewal worked.

@jsha: Tagging you on this since it looks your pull request to Boulder.

It looks like clients need to make sure to submit their hostnames in all-lowercase now, which may be as intended but might be worth an API Announcement if the behavior change is intentional.

Thanks for bringing this to our attention; we'll investigate and if we confirm the bug it should be fixed by this time next week.

We have identified a bug that is preventing issuance of requests with uppercase letters, as we missed down-casing them in a new code path. We are preparing a hotfix. In the meantime, the best workaround is to use lowercase letters in requests.

Here's the incoming change that will be in the hotfix deploy, pending review and passing tests.

Thank you so much for the quick response.

To follow along, see Let's Encrypt Status

A fix has been deployed

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.