Invalid character in DNS name: www.-----2016.artur-aviv.com

When trying to get certificate for this domain - I get the error “acme: Error 400 - urn:acme:error:malformed - Invalid character in DNS name”. Can anyone explain, what exactly is wrong with this domain?

Can you provide the full log message please ( including domain names).

Did you include http:// in the domain name ? (you shouldn’t - it’s not part of the domain name )

We are not using command line interface. We are using https://github.com/xenolf/lego/ and our application on top of it. So the only error I have is “acme: Error 400 - urn:acme:error:malformed - Invalid character in DNS name” for domain “www.-----2016.artur-aviv.com”. And no - we don’t include http/etc.

RFC 1035 states that:

The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length. Labels must be 63 characters or less.

In other words, you can use hyphens (like in artur-aviv), but not at the start of a label (like in -----2016). Note: labels are basically anything between the dots of your hostname (if you imagine dots at the beginning and end as well). Each label individually cannot start with a hyphen either, not just the hostname as a whole.

RFCs are great but it turns out that everyone actually allows such domains :slight_smile:

Anyway - thanks for fast answers!

@pfg does it mean subdomains can’t be only digits? e.g. 2017.example.com

Apparently Let’s Encrypt allow host names that doesn’t start with a letter but with a digit: https://crt.sh/?CN=2017%

Just going by that RFC, that would be accurate. RFC 1123 seems to contain a small change to that which allows both letters and digits as the first character:

The syntax of a legal Internet host name was specified in RFC-952 [DNS:4]. One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software MUST support this more liberal syntax.

This is reflected in the regex boulder uses for labels: ^[a-z0-9][a-z0-9-]{0,62}$

2 Likes

Indeed it’s the regular expression used there: https://github.com/letsencrypt/boulder/blob/master/policy/pa.go#L105

Does it mean it accept an hyphen in the end (seams invalid according to both RFC, “end with a letter or digit”)?

1 Like

The regex itself would match a trailing hyphen, but there’s a separate check for that.

1 Like

@pfg Indeed! I missed it, sorry :slight_smile: (I don’t know why they did a separate check instead of having a correct regexpr, maybe for performances reasons…)

Why? What's wrong with ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$ ?

1 Like

This regexp doesn’t match labels with exactly one character.

1 Like

^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$

1 Like

You can also use a negative lookbehind :wink:

^[a-z0-9][a-z0-9-]{0,62}(?<!-)$

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.