IDN domain problem

oneman · April 24, 2024, 10:57am

I have have had enough and I am not going to take it anymore! Look I have used letsencypt 26 times exactly according to my logbook since the great awarness that if you don't encrpyt then you can't even hope to tell you have been pwned. Every single time I used it, it eventually worked but it was always a new way to have to fiddle in the middle, ANYway this is the current fail. Situation involves use of a IDN specifically a カ*sカ.tokyo domain. The fail is a something something punycode and go beg for help so I have now done that. I am fixable.

gist.github.com

https://gist.github.com/oneman/786d45dbda8510f3bc5b6b0486cc9548

:(

[ec2-user@radcompany ~]$ sudo cat /tmp/certbot-log-8v__8onl/log
2024-04-24 10:11:12,490:DEBUG:certbot._internal.main:certbot version: 2.6.0
2024-04-24 10:11:12,490:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-04-24 10:11:12,490:DEBUG:certbot._internal.main:Arguments: ['-v', '-d', 'サイバー.tokyo']
2024-04-24 10:11:12,491:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-04-24 10:11:12,498:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/certbot/util.py", line 537, in enforce_domain_sanity
    domain.encode('ascii')
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-3: ordinal not in range(128)

This file has been truncated. show original

Osiris · April 24, 2024, 11:39am

The error is quite clear I'd say?:

Non-ASCII domain names not supported. To issue for an Internationalized Domain Name, use Punycode.

Punycode was not used in this log:

2024-04-24 10:11:12,490:DEBUG:certbot._internal.main:Arguments: ['-v', '-d', 'サイバー.tokyo']

Have you tried xn--eck7a4e3h.tokyo as the hostname? (I used Punycode Converter - IDN Converter - Punycode to Unicode for the conversion.)

Also, while probably (hopefully) your thread title was meant to be comically, I've edited it to something which makes more sense to the readers..

rmbolger · April 24, 2024, 3:22pm

Not to sidetrack, but certificates on a website do absolutely nothing to prevent a site from being compromised. Vulnerabilities exist in application code whether there is a cert encrypting the traffic to it or not.

Similarly, most malicious sites use valid certificates. But the certificate has no impact regarding whether the site can compromise clients connecting to them.

jvanasco · April 24, 2024, 4:05pm

Just for background...

Internationalized Domain Names use a form of Punycode in which the prefix xn-- is prepended to the punycode encoded domain name.

Browsers and many code libraries will use the punycode ascii-encoding under the hood, while they display the internationalized unicode on most visible interfaces.

@oneman you should familiarize yourself with punycode conversion for troubleshooting and maintenance. You don't need to learn the algorithms, you just need to get comfortable with the online converters that encode and decode.

schoen · April 25, 2024, 1:58am

"You have been pwned" could be used more broadly in this case, to include network attacks that HTTPS does protect against. I find it kind of ambiguous between the two!

oneman · April 25, 2024, 2:23am

We are all pwned as a matter of fact EFI recall intel correctly. None the less, lets settle this one, I am lazy and ignorant and I have been told to begin my education at a word I can type into google or pedia. I will deal with this personal matter off the air. When I get a proper clue, I will provide a report on my learnings. Thank you for your kind gentle machine gun hands.