Trying to find what cert contains a R-LDH domain


I received the message that says I will not be able to renew some domains because they conflict with RFC 5890.

You are receiving this email as you have an active certificate that contains a R-LDH domain name (a DNS name containing the characters ‘–’ in the third and forth positions in a label, e.g. ‘bq–’). These names are considered reserved by RFC 5890 and as such we have decided to no longer issue certificates containing them. As such you will no longer be able to renew any certificates you currently have that contain these names.

I am not sure what certificate we have that would violate this? Is there a way we could find out which certificates are associated with my email to find the one that would be of trouble? We do have some certs that contain --, but they shouldn’t be in the third/forth position.

I believe a review of this should help

I think there is a typo in the email as the RFC quoted in the link was a different number


Hi @iamcarrico,

Can you provide your ACME account ID?

This isn’t the one associated with my email— I think that server has been blown away a while back. But this one should be relatively close?

FYI, the RFC in the email is correct, and the Unicode Normalization incident you linked is a different thing. Unicode normalization is about whether ë is represented as e + ¨ or just ë as a single character. The R-LDH limitation is defined by IDNA (RFC 5890) and says “DNS names starting with ‘XX–’ where XX != ‘xn’ shouldn’t be accepted by applications that process Internationalized Domain Names.”


Ah ha! We found it. We have been using, not realizing that was going to be a problem in the subdomain. Working on some fixes locally until we can just use a wildcard certificate to ignore it in the future.

THank you all!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.