XYZ : Name does not end in a public suffix


#1

I was trying to get cert for my personal project, hosted at freeadvertscv.xyz, but I get Name does not end in a public suffix. *(

Help, bitte!

My domain is:
freeadvertscv.xyz

I ran this command:
acmetool want freeadvertscv.xyz

It produced this output:
{
“type”: “urn:acme:error:malformed”,
“detail”: “Error creating new authz :: Name does not end in a public suffix”,
“status”: 400
}

My operating system is (include version):
Ubuntu 16.04

My web server is (include version):
nginx

I can login to a root shell on my machine (yes or no, or I don’t know):
YES


#2

That’s strange. Issuance to other .xyz domains seems to have worked as recently as today according to Certificate Transparency logs. Is there any chance the client is actually requesting a certificate for a different domain for some reason? I’m not really familiar with acmetool, so I’m just guessing at this point, but maybe there’s some kind of configuration file it parses and takes domains from, and one of them doesn’t happen to end with a public suffix? Or maybe it automatically adds your system hostname, and that’s not a public domain either?

It seems there’s a --xlog.severity=debug option you can use to see what exactly is going on, maybe that’ll help.


#3

20160707233043 [DEBUG] fdb: enforce permissions: tmp/symlink.087306893 0/0 0/0
20160707233043 [DEBUG] fdb: enforce permissions: tmp/symlink.049582728 0/0 0/0
20160707233043 [DEBUG] fdb: enforce permissions: tmp/symlink.655703623 0/0 0/0
20160707233043 [DEBUG] fdb: enforce permissions: tmp/symlink.206253306 0/0 0/0
20160707233043 [DEBUG] acme.storageops: Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq) satisfies Target(u2f.jeman.de;;0)
20160707233043 [DEBUG] acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) cannot satisfy Target(u2f.jeman.de;;0) because required hostname “u2f.jeman.de” is not listed on it: []string{“freeadvertscv.xyz”}
20160707233043 [DEBUG] acme.storageops: Target(u2f.jeman.de;;0): best certificate satisfying is Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq), err=
20160707233043 [DEBUG] acme.storageops: Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq) needsRenewing=false notAfter=2016-09-30 10:13:00 +0000 UTC
20160707233043 [DEBUG] acme.storageops: Target(u2f.jeman.de;;0): have best certificate which does not need renewing, skipping target
20160707233043 [DEBUG] acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) satisfies Target(freeadvertscv.xyz;;0)
20160707233043 [DEBUG] acme.storageops: Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq) cannot satisfy Target(freeadvertscv.xyz;;0) because required hostname “freeadvertscv.xyz” is not listed on it: []string{“u2f.jeman.de”}
20160707233043 [DEBUG] acme.storageops: Target(freeadvertscv.xyz;;0): best certificate satisfying is Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea), err=
20160707233043 [DEBUG] acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) needsRenewing=false notAfter=2016-10-04 04:58:00 +0000 UTC
20160707233043 [DEBUG] acme.storageops: Target(freeadvertscv.xyz;;0): have best certificate which does not need renewing, skipping target
20160707233043 [DEBUG] acme.storageops: Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq) cannot satisfy Target(freeadvertscv.xyzadd,record;;0) because required hostname “freeadvertscv.xyzadd” is not listed on it: []string{“u2f.jeman.de”}
20160707233043 [DEBUG] acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) cannot satisfy Target(freeadvertscv.xyzadd,record;;0) because required hostname “freeadvertscv.xyzadd” is not listed on it: []string{“freeadvertscv.xyz”}
20160707233043 [DEBUG] acme.storageops: Target(freeadvertscv.xyzadd,record;;0): best certificate satisfying is , err=Target(freeadvertscv.xyzadd,record;;0): no certificate satisfies this target
20160707233043 [DEBUG] acme.storageops: Target(freeadvertscv.xyzadd,record;;0): requesting certificate
20160707233043 [DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/directory
20160707233043 [DEBUG] acme.api: response: &{200 OK 200 HTTP/1.1 1 1 map[Boulder-Request-Id:[X0vX56_BeLDwMmdtB49lg7D2R0nbT7rqklULbGbuMAQ] Replay-Nonce:[3NYiVY_PJcXCf_eOMBAVw6mfsWMbeLHBiC3q-9X4E0c] Strict-Transport-Security:[max-age=604800] Pragma:[no-cache] Server:[nginx] Content-Type:[application/json] Content-Length:[280] Date:[Fri, 08 Jul 2016 03:30:43 GMT] Connection:[keep-alive] X-Frame-Options:[DENY] Expires:[Fri, 08 Jul 2016 03:30:43 GMT] Cache-Control:[max-age=0, no-cache, no-store]] 0xc820508180 280 [] false map[] 0xc8201f62a0 0xc8203c00b0}
20160707233043 [DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/acme/new-reg
20160707233043 [DEBUG] acme.api: response: &{409 Conflict 409 HTTP/1.1 1 1 map[Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Date:[Fri, 08 Jul 2016 03:30:43 GMT] Server:[nginx] Content-Type:[application/problem+json] Location:[https://acme-v01.api.letsencrypt.org/acme/reg/2447923] Replay-Nonce:[XwCHf_G_ZD30uUVMrIjP5XKOS8hO31_KZolisn1Jp5M] Content-Length:[107] Boulder-Request-Id:[lD6-G0Xat_c4wGlgF46XMa9IGutzWBHkd_LW7s5unmw] Boulder-Requester:[2447923] Expires:[Fri, 08 Jul 2016 03:30:43 GMT]] 0xc820345640 107 [] true map[] 0xc8202d5ce0 0xc8203c00b0}
20160707233043 [DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/acme/reg/2447923
20160707233043 [DEBUG] acme.api: response: &{202 Accepted 202 HTTP/1.1 1 1 map[Content-Type:[application/json] Content-Length:[638] Boulder-Request-Id:[KE22FYEwWM1MnxHuf70jp5v0eTR_w_wVQuW0QRh55ek] Link:[https://acme-v01.api.letsencrypt.org/acme/new-authz;rel=“next” https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf;rel=“terms-of-service”] Replay-Nonce:[0qelXVGJBSb3BF_Y2yiIv2Nntym1QDSlEz5mDK3cWHY] Cache-Control:[max-age=0, no-cache, no-store] Date:[Fri, 08 Jul 2016 03:30:43 GMT] Server:[nginx] Expires:[Fri, 08 Jul 2016 03:30:43 GMT] Pragma:[no-cache] Connection:[keep-alive] Boulder-Requester:[2447923]] 0xc82043a600 638 [] false map[] 0xc82024d880 0xc8203766e0}
20160707233043 [DEBUG] acme.storageops: trying to obtain authorization for "freeadvertscv.xyzadd"
20160707233043 [DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/acme/new-authz
20160707233044 [DEBUG] acme.api: response: &{400 Bad Request 400 HTTP/1.1 1 1 map[Replay-Nonce:[cZyzmWqW9wVw7Epu93lc9LfjTyVG7ljXO-e1utGJGZg] Expires:[Fri, 08 Jul 2016 03:30:44 GMT] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Server:[nginx] Content-Type:[application/problem+json] Content-Length:[137] Boulder-Request-Id:[tyqFdd7T8i6TSR5XtwpRfCQrL24s35Tzb2UYmmNgZqI] Boulder-Requester:[2447923] Date:[Fri, 08 Jul 2016 03:30:44 GMT]] 0xc820508220 137 [] true map[] 0xc82051f7a0 0xc8203766e0}
20160707233044 [ERROR] acme.storageops: could not obtain authorization for freeadvertscv.xyzadd: HTTP error: 400 Bad Request
map[Boulder-Request-Id:[tyqFdd7T8i6TSR5XtwpRfCQrL24s35Tzb2UYmmNgZqI] Boulder-Requester:[2447923] Date:[Fri, 08 Jul 2016 03:30:44 GMT] Server:[nginx] Content-Type:[application/problem+json] Content-Length:[137] Pragma:[no-cache] Replay-Nonce:[cZyzmWqW9wVw7Epu93lc9LfjTyVG7ljXO-e1utGJGZg] Expires:[Fri, 08 Jul 2016 03:30:44 GMT] Cache-Control:[max-age=0, no-cache, no-store]]
{
“type”: “urn:acme:error:malformed”,
“detail”: “Error creating new authz :: Name does not end in a public suffix”,
“status”: 400
}
20160707233044 [ERROR] acme.storageops: Target(freeadvertscv.xyzadd,record;;0): failed to request certificate: HTTP error: 400 Bad Request
map[Content-Length:[137] Boulder-Request-Id:[tyqFdd7T8i6TSR5XtwpRfCQrL24s35Tzb2UYmmNgZqI] Boulder-Requester:[2447923] Date:[Fri, 08 Jul 2016 03:30:44 GMT] Server:[nginx] Content-Type:[application/problem+json] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Replay-Nonce:[cZyzmWqW9wVw7Epu93lc9LfjTyVG7ljXO-e1utGJGZg] Expires:[Fri, 08 Jul 2016 03:30:44 GMT]]
{
“type”: “urn:acme:error:malformed”,
“detail”: “Error creating new authz :: Name does not end in a public suffix”,
“status”: 400
}
20160707233044 [DEBUG] acme.storageops: done processing targets, reconciliation complete, 1 errors occurred
20160707233044 [ERROR] acme.storageops: error while processing targets: the following errors occurred:
error satisfying Target(freeadvertscv.xyzadd,record;;0): HTTP error: 400 Bad Request
map[Boulder-Requester:[2447923] Date:[Fri, 08 Jul 2016 03:30:44 GMT] Server:[nginx] Content-Type:[application/problem+json] Content-Length:[137] Boulder-Request-Id:[tyqFdd7T8i6TSR5XtwpRfCQrL24s35Tzb2UYmmNgZqI] Replay-Nonce:[cZyzmWqW9wVw7Epu93lc9LfjTyVG7ljXO-e1utGJGZg] Expires:[Fri, 08 Jul 2016 03:30:44 GMT] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache]]
{
“type”: “urn:acme:error:malformed”,
“detail”: “Error creating new authz :: Name does not end in a public suffix”,
“status”: 400
}
20160707233044 [ERROR] acme.storageops: failed to reconcile: the following errors occurred:
error satisfying Target(freeadvertscv.xyzadd,record;;0): HTTP error: 400 Bad Request
map[Content-Length:[137] Boulder-Request-Id:[tyqFdd7T8i6TSR5XtwpRfCQrL24s35Tzb2UYmmNgZqI] Boulder-Requester:[2447923] Date:[Fri, 08 Jul 2016 03:30:44 GMT] Server:[nginx] Content-Type:[application/problem+json] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Replay-Nonce:[cZyzmWqW9wVw7Epu93lc9LfjTyVG7ljXO-e1utGJGZg] Expires:[Fri, 08 Jul 2016 03:30:44 GMT]]
{
“type”: “urn:acme:error:malformed”,
“detail”: “Error creating new authz :: Name does not end in a public suffix”,
“status”: 400
}
20160707233044 [DEBUG] fdb: enforce permissions: tmp/symlink.882235409 0/0 0/0
20160707233044 [DEBUG] fdb: enforce permissions: tmp/symlink.049959996 0/0 0/0
20160707233044 [DEBUG] acme.storageops: disjoint hostname mapping: u2f.jeman.de -> Target(u2f.jeman.de;;0)
20160707233044 [DEBUG] acme.storageops: disjoint hostname mapping: freeadvertscv.xyz -> Target(freeadvertscv.xyz;;0)
20160707233044 [DEBUG] acme.storageops: disjoint hostname mapping: freeadvertscv.xyzadd -> Target(freeadvertscv.xyzadd,record;;0)
20160707233044 [DEBUG] acme.storageops: disjoint hostname mapping: record -> Target(freeadvertscv.xyzadd,record;;0)
20160707233044 [DEBUG] acme.storageops: Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq) cannot satisfy Target(freeadvertscv.xyzadd,record;;0) because required hostname “freeadvertscv.xyzadd” is not listed on it: []string{“u2f.jeman.de”}
20160707233044 [DEBUG] acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) cannot satisfy Target(freeadvertscv.xyzadd,record;;0) because required hostname “freeadvertscv.xyzadd” is not listed on it: []string{“freeadvertscv.xyz”}
20160707233044 [DEBUG] acme.storageops: could not find certificate satisfying Target(freeadvertscv.xyzadd,record;;0): Target(freeadvertscv.xyzadd,record;;0): no certificate satisfies this target
20160707233044 [DEBUG] acme.storageops: Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq) cannot satisfy Target(freeadvertscv.xyzadd,record;;0) because required hostname “freeadvertscv.xyzadd” is not listed on it: []string{“u2f.jeman.de”}
20160707233044 [DEBUG] acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) cannot satisfy Target(freeadvertscv.xyzadd,record;;0) because required hostname “freeadvertscv.xyzadd” is not listed on it: []string{“freeadvertscv.xyz”}
20160707233044 [DEBUG] acme.storageops: could not find certificate satisfying Target(freeadvertscv.xyzadd,record;;0): Target(freeadvertscv.xyzadd,record;;0): no certificate satisfies this target
20160707233044 [DEBUG] acme.storageops: Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq) satisfies Target(u2f.jeman.de;;0)
20160707233044 [DEBUG] acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) cannot satisfy Target(u2f.jeman.de;;0) because required hostname “u2f.jeman.de” is not listed on it: []string{“freeadvertscv.xyz”}
20160707233044 [DEBUG] acme.storageops: Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq) cannot satisfy Target(freeadvertscv.xyz;;0) because required hostname “freeadvertscv.xyz” is not listed on it: []string{“u2f.jeman.de”}
20160707233044 [DEBUG] acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) satisfies Target(freeadvertscv.xyz;;0)
20160707233044 [CRITICAL] acmetool: fatal: reconcile: the following errors occurred:
error satisfying Target(freeadvertscv.xyzadd,record;;0): HTTP error: 400 Bad Request
map[Content-Length:[137] Boulder-Request-Id:[tyqFdd7T8i6TSR5XtwpRfCQrL24s35Tzb2UYmmNgZqI] Boulder-Requester:[2447923] Date:[Fri, 08 Jul 2016 03:30:44 GMT] Server:[nginx] Content-Type:[application/problem+json] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Replay-Nonce:[cZyzmWqW9wVw7Epu93lc9LfjTyVG7ljXO-e1utGJGZg] Expires:[Fri, 08 Jul 2016 03:30:44 GMT]]
{
“type”: “urn:acme:error:malformed”,
“detail”: “Error creating new authz :: Name does not end in a public suffix”,
“status”: 400
}


#4

Is this normal?
20160707233043 [DEBUG] acme.storageops: trying to obtain authorization for “freeadvertscv.xyzadd”


#5

You should figure out where this name freeadvertscv.xyzadd comes from, as that seems likely to be the source of your problem.

It might be that it’s a typo in your configuration, or less likely it might be a bug in this acmetool software.


#6

Config is fine. Look at this block

acme.storageops: Target(freeadvertscv.xyz;;0): best certificate satisfying is Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea), err=<nil>
acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) needsRenewing=false notAfter=2016-10-04 04:58:00 +0000 UTC
acme.storageops: Target(freeadvertscv.xyz;;0): have best certificate which does not need renewing, skipping target
acme.storageops: Certificate(vfy67vmqgsionvlyh7ee7ux2yc6lrzw2kshod26yncipu3ixwjrq) cannot satisfy Target(freeadvertscv.xyzadd,record;;0) because required hostname "freeadvertscv.xyzadd" is not listed on it: []string{"u2f.jeman.de"}
acme.storageops: Certificate(x6u77wzrf7jzwyyvw5bvyzz4h67dfjfgq4mihv7qfhq4kbwuplea) cannot satisfy Target(freeadvertscv.xyzadd,record;;0) because required hostname "freeadvertscv.xyzadd" is not listed on it: []string{"freeadvertscv.xyz"}
acme.storageops: Target(freeadvertscv.xyzadd,record;;0): best certificate satisfying is <nil>, err=Target(freeadvertscv.xyzadd,record;;0): no certificate satisfies this target
acme.storageops: Target(freeadvertscv.xyzadd,record;;0): requesting certificate

#7

Fixed by removing faulty freeadvertscv.xyzAdd file from /var/lib/acme/desired. Thanks for all the help.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.