Uppercase Invalid Error

Hariharan10aprl · February 17, 2020, 12:26pm

During migration we moved subdomains from our previous SSL provider to LetsEncrypt for SSL certificate change. Some of the subdomains had uppercases in them, but during certificate generation, in LEtsEncrypt the subdomain can be created only in lowercase.(We even tried to create subdomain names with uppercase, but it didn’t work) After the migration, the subdomains that had uppercases in them arent working if we point the newly generated Letsencrypt certificates but they are working with perfectly with the previous provider. Does anyone know how to solve this problem or even better know any way to generate the certificate name with uppercases in them? Example The subdomain names are Support.Example.com but the certificate can only be generated for support.example.com

JuergenAuer · February 17, 2020, 2:12pm

Hi @Hariharan10aprl

simple answer: Uppercases are not allowed.

So you have to change your domain name.

It's an error if that was possible.

Hariharan10aprl · February 18, 2020, 6:06am

Hi @JuergenAuer
Thanks for the reply
The Uppercases are in our customer subdomains. It would be helpful if you say why uppercases are not allowed. Based on your explanation we will instruct the customers. In order to change the name to lowercase they are asking for a solid explanation.

ski192man · February 18, 2020, 6:32am

It's probably a Let's Encrypt policy or development decision to only allow lowercase characters in the certificates, regardless, it doesn't matter. RFC 5280 specifies that they are to be treated the same in section 4.2.1.6

Note that while uppercase and lowercase letters are
allowed in domain names, no significance is attached to the case.

Simply put. A certificate issued for Support.Example.com, SuPpoRT.exaMpLE.CoM, or support.example.com are the exact same things and will behave identically, unless someone implemented the standard incorrectly into software.

If going to Support.Example.com doesn't work it's either a buggy webserver, browser, or other misconfiguration. I can enter any case configuration I want of my domain into the browser address bar (i.e. ExAMpLe.CoM) and it is simply turned back to lowercase in the address bar.

Hariharan10aprl · February 18, 2020, 8:32am

Thanks for the reply
Even we are are having the same confusion, it’s correct the domain names are case insensitive, we will look into the buggy web server idea tho.

JuergenAuer · February 18, 2020, 8:38am

In domain names, upper and lower ASCII are allowed:

<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case

Note that while upper and lower case letters are allowed in domain
names, no significance is attached to the case. That is, two names with
the same spelling but different case are to be treated as if identical.

So browsers should handle

Sub.Example.com
sub.example.com

identical.

And a configuration should never use upper cases in domain names.

schoen · February 19, 2020, 2:19am

I agree with both @JuergenAuer and @ski192man. Let’s Encrypt will only issue certificates with lowercase identifiers, but these certificates are valid, according to Internet standards, when presented by sites that were accessed using mixed-case domain names. Software that does not regard these as a match isn’t following the Internet standards properly.

(There are several different parts of the Boulder code that call this function to obtain a canonical internal representation of the requested domain names as entirely lower case.)

github.com

letsencrypt/boulder/blob/a6597b9f120207eff192c3e4107a7e49972a0250/core/util.go#L206


	retID = BuildHost
	if retID == "" {
		retID = "Unspecified"
	}
	return
}


// UniqueLowerNames returns the set of all unique names in the input after all
// of them are lowercased. The returned names will be in their lowercased form
// and sorted alphabetically.
func UniqueLowerNames(names []string) (unique []string) {
	nameMap := make(map[string]int, len(names))
	for _, name := range names {
		nameMap[strings.ToLower(name)] = 1
	}


	unique = make([]string, 0, len(nameMap))
	for name := range nameMap {
		unique = append(unique, name)
	}
	sort.Strings(unique)

Hariharan10aprl · February 19, 2020, 5:19am

Thanks @schoen
This will be enough to help explain the problem and change the domain names thanks for the reply and research

Hariharan10aprl · February 19, 2020, 5:44am

@JuergenAuer I have another query all our SSL certificates have a validity period of 90 days. Is there anyway we can change the validity period of them and extend it upto one-year

ski192man · February 19, 2020, 5:48am

90 days is the only period let’s encrypt issues certificates for. This is because renewal is intended to be automated which makes for a more secure web. I have my server setup to automatically request a renewal, update a txt record to verify control of the domain and reload every 60 days. (60 because that gives me 30 days to correct any issues should one come up during a renewal)

Check out this post for a better explanation than I can do https://letsencrypt.org/2015/11/09/why-90-days.html

You should setup certbot which is the most common ACME client to handle this for you. (Assuming Linux, while there are Windows clients I’m not familiar with them)

system · March 20, 2020, 5:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.