IDN Support enabled

jsha · October 20, 2016, 10:30pm

I’m pleased to announce that Let’s Encrypt now supports issuance for Internationalized Domain Names (IDNs).

Note that the currently-released Certbot version (0.9.2) has a built-in check that prevents issuance for IDNs. To issue certificates with Certbot that contain IDNs, you can follow the developer instructions to install the latest development version. Or you can wait for the next Certbot release, currently planned for end of October / early November, or use an alternate client.

Let’s Encrypt (and the ACME protocol) accept IDNs only as A-labels (ASCII labels, starting with xn--, also known as Punycode), not as U-labels (Unicode labels). You can convert between U-labels and A-labels using https://github.com/bestiejs/punycode.js/ or https://www.punycoder.com/. Note that https://www.punycoder.com/ supports the older IDNA the older IDNA2003 spec, while Boulder implements the newer IDNA2008 spec, and so may reject some names converted by that site.

Also note that registries impose some limits on what IDNs may be registered, and browsers impose additional constraints on which IDNs will be represented in their U-label form. If you are thinking of purchasing a domain name, you should ensure it will render the way you want on the browsers that you care about.

mrtux · October 21, 2016, 12:25am

Thanks!!! Works like a charm for me!

It’s great that it was enabled before the deadline!

r0uzic · October 22, 2016, 2:10am

When it will be possible to use it? I upgrade let’s encrypt repo and still can’t use it :-/

pfg · October 22, 2016, 2:21am

The CA servers are already issuing IDN certificates. As for clients, if you’re using certbot, you’ll need to switch to a development version as described here. Note that this is not the same thing as just running git pull for your local clone - that’ll still give you the released version of certbot, which does not support IDNs yet. Using one of the alternative clients might work too (not sure which of them support IDNs already).

wangqiliang · October 22, 2016, 7:13am

Neilpang · October 23, 2016, 6:59am

acme.sh supports IDN now.

Ascendor · October 31, 2016, 9:47pm

I tested “getssl” today and it worked fine using the PunyCode version of my IDN domain.

Bloof · November 6, 2016, 9:16pm

IDN support looks good, but when I try to acquire certificate for my domain “блуф.рф” (using acme.sh or gethttpsforfree clients), I receive API error 400: “Name does not end in a public suffix”. Suffix “.рф” is presented here https://publicsuffix.org/list/effective_tld_names.dat. What did I do wrong?

jsha · November 6, 2016, 9:22pm

This is a bug in Boulder: https://github.com/letsencrypt/boulder/issues/2277. We’re working on it! Thanks for your patience.

jsha · November 22, 2016, 9:35pm

A post was split to a new topic: Certbot reporting Punycode unsupported

schoen · December 9, 2016, 1:13am

The fix to that bug was rolled out today; I’m just following up on each thread that mentions it to let the people who encountered it know that they can now go ahead with issuing their certs. So, @Bloof, you can go ahead and get your certificate for блуф.рф now!

jsha · January 8, 2017, 1:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.