boulder: PA rejects domains ending in IDN TLD
PA currently rejects domains ending in IDN TLDs (such as example.xn--fiqs8s
). This appears to be due to publicsuffix-go
’s Find
expecting suffixes to be in unicode rather than punycode and thus rejecting the domain with “Name does not end in a public suffix”.
Originally reported here.
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Reactions: 13
- Comments: 29 (10 by maintainers)
Dependency of library which has only 8 stars is blocking you? Or, if to look at the list itself - 182 stars, random updates, pending issues.
In present days number of new TLDs is increasing rapidly and issues will only accumulate.
Finally - what is the sense to check domain suffix - you are checking
/.well-known/acme-challenge
anyway? If domain is incorrect - it will fail.@kachkaev Absolutely - I will update this thread when it reaches prod. We appreciate your patience! I promise we’re almost there 😃
You have really bug in IDN domain zones. You service require domain name in punnycode, but check domain zone by the unicode list from “eightstartslibrary”.
Example: publicsuffix-go - resolve “рф”, but you reject “пример.рф” you resolve пример.рф , but publicsuffix-go reject xn–p1ai
Log for reference:
@TimKGS Yes - we will comment on the ticket when it’s done. You can also watch status.letsencrypt.org
Same here for a domain in
.рф
zone defined by me as.xn--p1ai
:ACME server returned an error: urn:acme:error:malformed :: The request message was malformed :: Name does not end in a public suffix
While I know there’s nothing more technically difficult about supporting one writing system as opposed to another within IDNs, it’s still heartwarming to see that people just commenting on this single issue succeeded in getting certs issued for names in five different scripts on the first day!
@kachkaev your issue sounds like it’s related to an out-of-date certbot version. It’s unrelated to this issue, but if you file an issue on that other repo and tag me I can help out.
Worked for .xn–j6w193g (.香港) using a custom client.
Can verify that it finally works. Successfully got my certs for .コム and .닷컴 without problems 👍
As a user of popular
docker-letsencrypt-nginx-proxy-companion
I’m still unable to get a cert for.xn--p1ai
(i.e..рф
). But that’s likely to be this issue: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/issues/130The error in my case says the following:
If anyone knowledgable can help with a PR in https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion, that’d be fantastic!
Really exited the Letsencrypt is finally available for IDNs, according to other comments! That’s a great day to celebrate! 🎉 🎉 🎉
Domain .рф success (using ISP Manager, Let’s Encrypt plugin) Thanks
.みんな success (with some more punycode in the domain name, using webroot lego)
@kachkaev @slavonnet @TimKGS @rqou, others - the update in production is complete. Can you please verify you’re now able to issue for IDN TLDs without error?
@kachkaev Oops! Yes I meant Dec 1st. I edited my comment above. Apologies for the confusion.
@kachkaev - you’re correct, nothing will have to change on your end once the update to Boulder is live in production.
@slavonnet No sooner than Dec 1st. There’s no deploy this week due to the American Thanksgiving holidays. We do deploys to staging on Tuesdays and deploys to production on Thursdays.