When trying to get certificate for this domain - I get the error “acme: Error 400 - urn:acme:error:malformed - Invalid character in DNS name”. Can anyone explain, what exactly is wrong with this domain?
Can you provide the full log message please ( including domain names).
Did you include http:// in the domain name ? (you shouldn’t - it’s not part of the domain name )
We are not using command line interface. We are using https://github.com/xenolf/lego/ and our application on top of it. So the only error I have is “acme: Error 400 - urn:acme:error:malformed - Invalid character in DNS name” for domain “www.-----2016.artur-aviv.com”. And no - we don’t include http/etc.
RFC 1035 states that:
The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length. Labels must be 63 characters or less.
In other words, you can use hyphens (like in
artur-aviv), but not at the start of a label (like in
-----2016). Note: labels are basically anything between the dots of your hostname (if you imagine dots at the beginning and end as well). Each label individually cannot start with a hyphen either, not just the hostname as a whole.
RFCs are great but it turns out that everyone actually allows such domains
Anyway - thanks for fast answers!
Apparently Let’s Encrypt allow host names that doesn’t start with a letter but with a digit: https://crt.sh/?CN=2017%
Just going by that RFC, that would be accurate. RFC 1123 seems to contain a small change to that which allows both letters and digits as the first character:
The syntax of a legal Internet host name was specified in RFC-952 [DNS:4]. One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software MUST support this more liberal syntax.
This is reflected in the regex boulder uses for labels:
Indeed it’s the regular expression used there: https://github.com/letsencrypt/boulder/blob/master/policy/pa.go#L105
Does it mean it accept an hyphen in the end (seams invalid according to both RFC, “end with a letter or digit”)?
@pfg Indeed! I missed it, sorry (I don’t know why they did a separate check instead of having a correct regexpr, maybe for performances reasons…)
Why? What’s wrong with
This regexp doesn’t match labels with exactly one character.
You can also use a negative lookbehind
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.