Unable to generate certificate : Invalid characters

My domain is: data_services.learn-and-go.com

I ran this command: sudo certbot --nginx -d data_services.learn-and-go.com

It produced this output:
Obtaining a new certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for "data_services.learn-and-go.com": Domain name contains an invalid character
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Ubuntu 18.04

The operating system my web server runs on is (include version): Nginx 1.14.0

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

I am unable to find the reason why this fails systematically.

The log contains :
acme.messages.Error: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "data_services.learn-and-go.com": Domain name contains an invalid character

Underscores aren't allowed in certificate hostnames.

1 Like

Ok, so what can we do as the domain is valid - it has been working for the last few years !

It's kind of weird, but underscores are allowed in domain names (that is, things served in DNS, like the _acme-challenge name that ACME DNS-01 challenges use), but not for host names (that is, servers that have a URL). You might be able to get some systems to manage to work with it, but it won't work consistently everywhere and you certainly can't get a certificate with it.

You might be able to work around some issues by using a wildcard certificate for *.learn-and-go.com, if you can automate updating your DNS server. But I wouldn't keep using a name with an underscore in it if I could possibly help it.

6 Likes

This changed on 30 April 2019: Ballot SC12: Sunset of Underscores in dNSNames | CAB Forum

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.