Underscore ("_") as a valid domain name?

Please fill out the fields below so we can help you better.

My domain is: _.zr.is

I ran this command:

sudo certbot certonly -a manual --rsa-key-size 4096 --email myemail@gmail.com -d _.zr.is

It produced this output:

An unexpected error occurred:
The request message was malformed :: Error creating new authz :: Invalid character in DNS name


06:43:20,352:DEBUG:acme.client:Received response:
HTTP 400
Content-Length: 130
Boulder-Request-Id: DKv5zx862MWeknQoFkWgmXCNzlDtP8JvLcFWuAPXCr4
Boulder-Requester: 11287452
Expires: Fri, 21 Apr 2017 06:43:20 GMT
Server: nginx
Connection: close
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
Date: Fri, 21 Apr 2017 06:43:20 GMT
Content-Type: application/problem+json

  "type": "urn:acme:error:malformed",
  "detail": "Error creating new authz :: Invalid character in DNS name",
  "status": 400

My operating system is (include version):

CentOS 7

My web server is (include version):

Nginx 1.10.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):


I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Well. I’m not familiar with the specification of what characters can I put in a domain, but apparently this domain can be resolved and I used to use it personally. So I hope it can be supported by Let’s Encrypt.



After a quick google search:

It seems having underscore in domain name is totally valid. So, please support it!


As far as I understood, the underscore is a valid character in a DNS field, but not in a hostname as used in a certificate.


@Osiris is right, Wikipedia explains it very well:

Extract from Hostname - Wikipedia

The Internet standards (Requests for Comments) for protocols mandate that component hostname labels may contain only the ASCII letters 'a' through 'z' (in a case-insensitive manner), the digits '0' through '9', and the hyphen ('-'). The original specification of hostnames in RFC 952, mandated that labels could not start with a digit or with a hyphen, and must not end with a hyphen. However, a subsequent specification (RFC 1123) permitted hostname labels to start with digits. No other symbols, punctuation characters, or white space are permitted.

While a hostname may not contain other characters, such as the underscore character (_), other DNS names may contain the underscore.[4] Systems such as DomainKeys and service records use the underscore as a means to assure that their special character is not confused with hostnames. For example, _http._sctp.www.example.com specifies a service pointer for an SCTP capable webserver host (www) in the domain example.com. Note that some applications (e.g. Microsoft Internet Explorer) won't work correctly if any part of the hostname contains an underscore character.[5]



Yes @Osiris and @sahsanu are correct
Try register one with underscores and see what happens.

Previously discussed at

There is a proposal in the CA/B Forum to allow issuance for names containing underscores, but I don't know if this proposal will pass.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.