Uppercase Invalid Error

During migration we moved subdomains from our previous SSL provider to LetsEncrypt for SSL certificate change. Some of the subdomains had uppercases in them, but during certificate generation, in LEtsEncrypt the subdomain can be created only in lowercase.(We even tried to create subdomain names with uppercase, but it didn’t work) After the migration, the subdomains that had uppercases in them arent working if we point the newly generated Letsencrypt certificates but they are working with perfectly with the previous provider. Does anyone know how to solve this problem or even better know any way to generate the certificate name with uppercases in them? Example The subdomain names are Support.Example.com but the certificate can only be generated for support.example.com

1 Like

Hi @Hariharan10aprl

simple answer: Uppercases are not allowed.

So you have to change your domain name.

It’s an error if that was possible.

2 Likes

Hi @JuergenAuer
Thanks for the reply
The Uppercases are in our customer subdomains. It would be helpful if you say why uppercases are not allowed. Based on your explanation we will instruct the customers. In order to change the name to lowercase they are asking for a solid explanation.

1 Like

It’s probably a Let’s Encrypt policy or development decision to only allow lowercase characters in the certificates, regardless, it doesn’t matter. RFC 5280 specifies that they are to be treated the same in section 4.2.1.6

Note that while uppercase and lowercase letters are
allowed in domain names, no significance is attached to the case.

Simply put. A certificate issued for Support.Example.com, SuPpoRT.exaMpLE.CoM, or support.example.com are the exact same things and will behave identically, unless someone implemented the standard incorrectly into software.

If going to Support.Example.com doesn’t work it’s either a buggy webserver, browser, or other misconfiguration. I can enter any case configuration I want of my domain into the browser address bar (i.e. ExAMpLe.CoM) and it is simply turned back to lowercase in the address bar.

5 Likes

Thanks for the reply
Even we are are having the same confusion, it’s correct the domain names are case insensitive, we will look into the buggy web server idea tho.

2 Likes

In domain names, upper and lower ASCII are allowed:

https://tools.ietf.org/html/rfc1035

<letter> ::= any one of the 52 alphabetic characters A through Z in
upper case and a through z in lower case

Note that while upper and lower case letters are allowed in domain
names, no significance is attached to the case. That is, two names with
the same spelling but different case are to be treated as if identical.

So browsers should handle

Sub.Example.com
sub.example.com

identical.

And a configuration should never use upper cases in domain names.

2 Likes

I agree with both @JuergenAuer and @ski192man. Let’s Encrypt will only issue certificates with lowercase identifiers, but these certificates are valid, according to Internet standards, when presented by sites that were accessed using mixed-case domain names. Software that does not regard these as a match isn’t following the Internet standards properly.

(There are several different parts of the Boulder code that call this function to obtain a canonical internal representation of the requested domain names as entirely lower case.)

2 Likes

Thanks @schoen
This will be enough to help explain the problem and change the domain names thanks for the reply and research :slight_smile:

1 Like

@JuergenAuer I have another query all our SSL certificates have a validity period of 90 days. Is there anyway we can change the validity period of them and extend it upto one-year

90 days is the only period let’s encrypt issues certificates for. This is because renewal is intended to be automated which makes for a more secure web. I have my server setup to automatically request a renewal, update a txt record to verify control of the domain and reload every 60 days. (60 because that gives me 30 days to correct any issues should one come up during a renewal)

Check out this post for a better explanation than I can do https://letsencrypt.org/2015/11/09/why-90-days.html

You should setup certbot which is the most common ACME client to handle this for you. (Assuming Linux, while there are Windows clients I’m not familiar with them)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.