Domain name contains invalid character

It produced this output:


** '_.mydm.li' **
Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
Details:
Type: urn:ietf:params:acme:error:rejectedIdentifier
Status: 400
Detail: Error creating new order :: Cannot issue for "_.mydm.li": Domain name contains an invalid characters

The operating system my web server runs on is (include version):
CentOS 7.9.2009

My hosting provider, if applicable, is:
DomainFactory (server belongs to GoDaddy as far as I know)

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk Obsidian v18.0.44_build1800220614.18 os_CentOS 7

Hey,

in november 2021, I decided to switch from a shared webhosting server to a virtual server. I’ve configured the whole system using Plesk Obsidian, everything worked except adding specific let‘s encrypt certificates.

Plesk allowes me to add wildcard-domains like „*.mydm.li“ which acting like a catch-all-domain.
Unfortunately, I couldn‘t create a certificate for this domain. It‘s only a problem for me because Plesk sends me an email every day which is annoying and couldn‘t be disabled for some reason:


Could not secure domains of admin (login admin) with Let`s Encrypt certificates. Please log in to Plesk and secure the domains listed below manually.
Securing of the following domains has failed:

** '_.mydm.li' **
Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
Details:
Type: urn:ietf:params:acme:error:rejectedIdentifier
Status: 400
Detail: Error creating new order :: Cannot issue for "_.mydm.li": Domain name contains an invalid character


The following domains have been secured without some of their Subject Alternative Names:

<none>

Could not renew Let`s Encrypt certificates for admin (login admin). Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let`s Encrypt certificates has failed:

<none>

The following Let`s Encrypt certificates have been renewed without some of their Subject Alternative Names:

<none>


Legend:
[+] This domain is secure. The domain's SSL/TLS certificate from Let`s Encrypt has been issued/renewed.
[-] This domain is not secure. Either the domain's SSL/TLS certificate from Let`s Encrypt could not be issued/renewed or the domain name was excluded from the certificate. Renew the certificate manually or request a new one to secure this domain.

I also don‘t know why it says „_.mydm.li“ instead of a *.

I tried to contact my hoster but they rejected any help because the server is managed by myself only. Instead, they recommended to ask on this forums. I‘m also not really good in using terminal commands.

I really appreciate your help,
Thank you!

1 Like

Hi @Pinnokkio, and welcome to the LE community forum :slight_smile:

It seems that Plesk has found a site named "_.mydm.li" and is trying to obtain a cert for it.
I'd search through to find that site and give it a proper name.

11 Likes

Thanks.

What do you exactly mean by giving a proper name?

"mydm.li" is just a placeholder, I have source domains with the same problem.

2 Likes

The error isn't for the name mydm.li it is for that with a leading underscore. That is not a valid domain name. So, as rg305 suggested, you should look for why Plesk tries that name and remove it. You cannot get a cert for an invalid domain name.

If you cannot find why Plesk does that you should contact Plesk forum or your hosting service.

11 Likes

Specifically, underscores are not valid characters in a domain name. Domain Names (including subdomains) may only contain (i) letters a-z, (2) numbers 0-9, (3) hyphens (which may not be used consecutively or be the first or last character).

10 Likes

Not sure if you're distinguishing a "domain name" from any old DNS FQDN here, but millions of Active Directory domains with SRV records such as _ldap._tcp.example.com would like to disagree with you...not to mention _acme-challenge.example.com.

I even just created a _.example.com zone in my lab environment on Infoblox with a _acme-challenge._.example.com TXT record within it. No issues.

11 Likes

Excellent point @rmbolger .

Here is an (old) post that addresses the restrictions for Let's Encrypt. These restrictions are for names in certs as dictated by the Baseline Requirements

10 Likes

Please see the above link to Wikipedia on Domain name, the syntax and size of each component of a FQDN is described.

2 Likes

Also from here: RFC 1034 - Domain names - concepts and facilities and RFC 1035 - Domain names - implementation and specification

There is no underscore (i.e _ ).

<domain> ::= <subdomain> | " "

<subdomain> ::= <label> | <subdomain> "." <label>

<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]

<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>

<let-dig-hyp> ::= <let-dig> | "-"

<let-dig> ::= <letter> | <digit>

<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case

<digit> ::= any one of the ten digits 0 through 9
3 Likes

I should have said "Host Name" to be more clear. You can stuff a leading underscore - and pretty much anything else - into general DNS records as of RFC 2181. (I do not believe they are allowed in A records, but TXT and CNAME are supported). A Domain Name record that is used to map a host/internet address, however, must comply with the requirements above (via RFC 1035). The leading underscore syntax was developed to differentiate control/information records and service pointers in DNS from actual host names.

Once upon a time, it was valid to issue certificates and run services on domains with leading underscores. The CA/B forum barred issuance of certificates for those domains a while back, and most servers/browsers will now generate errors if you try to run a service on a host name with a leading underscore.

9 Likes

I also didn't realize the distinction between "works in general for DNS resolution" and "allowed for use in a certificate". Good to be reminded of these esoteric things on occasion.

10 Likes

Yeah, this is the sneaky one people have to watch out for.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.