Error reserved format (R-LDH: '?--') creating certificate for www.o----o.de

ToP · July 26, 2022, 7:42pm

My domain is: o----o.de

I ran this command:
certbot certonly -c certonly.ini -d www.o----o.de -d o----o.de

The certonly.ini contains

manual
preferred-challenges http
manual-auth-hook /path/to/authenticator.sh
manual-cleanup-hook /path/to/cleanup.sh
manual-public-ip-logging-ok

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for "o----o.de": Domain name contains an invalid label in a reserved format (R-LDH: '??--') (and 1 more problems. Refer to sub-problems for more information.)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Osiris · July 26, 2022, 7:57pm

@lestaff Any idea why this domain name is being refused? As far as I can tell from RFC 5891, the hyphen restriction is only applicable to unicode strings being converted to IDNA labels? And not for non-IDNA domains?

jsha · July 26, 2022, 8:01pm

The IDNA RFC reserves all hostnames containing:

So this is a reserved-LDH name, even though it is not a valid Internationalized Domain Name. Because of the Baseline Requirements that apply to all publicy trusted CAs, we are not allowed to issue for this domain name even though it is registered in the DNS.

Specifically: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf

Rip · July 26, 2022, 8:03pm

Osiris · July 26, 2022, 8:09pm

Hm, so the BR is very strict, even if the RFCs allow it. Good to know, not so good for @ToP unfortunately.

petercooperjr · July 26, 2022, 8:14pm

Yeah, Let's Encrypt even specifically had an Official Incident in the past where they failed to block issuance where characters 2, 3, and 4 were all hyphens:

Osiris · July 26, 2022, 8:19pm

Uch, I don't seem to be able to find any actual arguments for those changes.. SC48 - Domain Name and IP Address Encoding (#285) by castillar · Pull Request #302 · cabforum/servercert · GitHub is just the effective change in code and SC48 - Domain Name and IP Address Encoding by CBonnell · Pull Request #285 · cabforum/servercert · GitHub doesn't contain any relevant discussion either.

Sometimes the CA/B Forum's only reason for existance is to make life for everybody more difficult for the sake of making it difficult..

petercooperjr · July 26, 2022, 8:26pm

I think there's some discussion in the CAB mailing list:

https://lists.cabforum.org/pipermail/servercert-wg/2021-July/thread.html

My quick read-through (which may be wrong) is that since some people thought the names were already prohibited, and some didn't, explicitly prohibiting it ended up making the rules clearer.

Osiris · July 26, 2022, 8:32pm

That sounds like a stupid reason..

ToP · July 26, 2022, 8:53pm

Thank you for your answers.

I have researched at DENIC. Also at DENIC it is no longer possible to register domains with -- in 3rd and 4th position. But in the past it was possible and so such domains exist.

It would be a pity if the owners of this domain cannot use a certificate.

petercooperjr · July 26, 2022, 9:59pm

Well, the owners of this domain cannot use a certificate from any public CA. Yes, that is a pity.

system · August 25, 2022, 9:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.