Error reserved format (R-LDH: '?--') creating certificate for www.o----o.de

My domain is: o----o.de

I ran this command:
certbot certonly -c certonly.ini -d www.o----o.de -d o----o.de

The certonly.ini contains

manual
preferred-challenges http
manual-auth-hook /path/to/authenticator.sh
manual-cleanup-hook /path/to/cleanup.sh
manual-public-ip-logging-ok

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for "o----o.de": Domain name contains an invalid label in a reserved format (R-LDH: '??--') (and 1 more problems. Refer to sub-problems for more information.)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

@lestaff Any idea why this domain name is being refused? As far as I can tell from RFC 5891, the hyphen restriction is only applicable to unicode strings being converted to IDNA labels? And not for non-IDNA domains?

4 Likes

The IDNA RFC reserves all hostnames containing:

So this is a reserved-LDH name, even though it is not a valid Internationalized Domain Name. Because of the Baseline Requirements that apply to all publicy trusted CAs, we are not allowed to issue for this domain name even though it is registered in the DNS.

Specifically: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf

9 Likes
4 Likes

Hm, so the BR is very strict, even if the RFCs allow it. Good to know, not so good for @ToP unfortunately.

5 Likes

Yeah, Let's Encrypt even specifically had an Official Incident in the past where they failed to block issuance where characters 2, 3, and 4 were all hyphens:

6 Likes

Uch, I don't seem to be able to find any actual arguments for those changes.. SC48 - Domain Name and IP Address Encoding (#285) by castillar · Pull Request #302 · cabforum/servercert · GitHub is just the effective change in code and SC48 - Domain Name and IP Address Encoding by CBonnell · Pull Request #285 · cabforum/servercert · GitHub doesn't contain any relevant discussion either.

Sometimes the CA/B Forum's only reason for existance is to make life for everybody more difficult for the sake of making it difficult..

5 Likes

I think there's some discussion in the CAB mailing list:

https://lists.cabforum.org/pipermail/servercert-wg/2021-July/thread.html

My quick read-through (which may be wrong) is that since some people thought the names were already prohibited, and some didn't, explicitly prohibiting it ended up making the rules clearer.

6 Likes

That sounds like a stupid reason.. :roll_eyes:

4 Likes

Thank you for your answers.

I have researched at DENIC. Also at DENIC it is no longer possible to register domains with -- in 3rd and 4th position. But in the past it was possible and so such domains exist.

It would be a pity if the owners of this domain cannot use a certificate.

4 Likes

Well, the owners of this domain cannot use a certificate from any public CA. Yes, that is a pity.

6 Likes