IDN Support enabled

I’m pleased to announce that Let’s Encrypt now supports issuance for Internationalized Domain Names (IDNs).

Note that the currently-released Certbot version (0.9.2) has a built-in check that prevents issuance for IDNs. To issue certificates with Certbot that contain IDNs, you can follow the developer instructions to install the latest development version. Or you can wait for the next Certbot release, currently planned for end of October / early November, or use an alternate client.

Let’s Encrypt (and the ACME protocol) accept IDNs only as A-labels (ASCII labels, starting with xn--, also known as Punycode), not as U-labels (Unicode labels). You can convert between U-labels and A-labels using or Note that supports the older IDNA the older IDNA2003 spec, while Boulder implements the newer IDNA2008 spec, and so may reject some names converted by that site.

Also note that registries impose some limits on what IDNs may be registered, and browsers impose additional constraints on which IDNs will be represented in their U-label form. If you are thinking of purchasing a domain name, you should ensure it will render the way you want on the browsers that you care about.


Thanks!!! Works like a charm for me!

It’s great that it was enabled before the deadline!

When it will be possible to use it? I upgrade let’s encrypt repo and still can’t use it :-/

The CA servers are already issuing IDN certificates. As for clients, if you’re using certbot, you’ll need to switch to a development version as described here. Note that this is not the same thing as just running git pull for your local clone - that’ll still give you the released version of certbot, which does not support IDNs yet. Using one of the alternative clients might work too (not sure which of them support IDNs already).

1 Like supports IDN now.


I tested “getssl” today and it worked fine using the PunyCode version of my IDN domain.


IDN support looks good, but when I try to acquire certificate for my domain “блуф.рф” (using or gethttpsforfree clients), I receive API error 400: “Name does not end in a public suffix”. Suffix “.рф” is presented here What did I do wrong?

1 Like

This is a bug in Boulder: We’re working on it! Thanks for your patience.

A post was split to a new topic: Certbot reporting Punycode unsupported

The fix to that bug was rolled out today; I’m just following up on each thread that mentions it to let the people who encountered it know that they can now go ahead with issuing their certs. So, @Bloof, you can go ahead and get your certificate for блуф.рф now!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.