Acme.sh: IDN support

I have used acme.sh to register my IDNs, it works perfectly!

What I didn't try is the readable domain name, just the punycode version.

@noplanman I have checked in a branch idn : https://github.com/Neilpang/acme.sh/tree/idn

which is able to process readable idn domain names, instead of your punycode version.

I'm still testing this branch, it will be merged once testing is finished.

You may have a try:

export BRANCH=idn
acme.sh --upgrade 

Great stuff, will have a look when I add a new domain 👍

IDN supported now.

it relies on a new tool idn or libidn: https://www.gnu.org/software/libidn/

It's available on Linux/Freebsd/Openbsd etc.

I get this error message:
new-authz error: {"type":"urn:acme:error:malformed","detail":"Invalid character in DNS name","status": 400}

How am I supposed to call the acme.sh command with IDNs?

Must I install libidn specifically? I installed a package called idn, same error message though.

I'm on Debian Jessie.

@noplanman

Yes, on debian install idn is enough.

acme.sh --issue -d   中.acme.sh  --standalone 

https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

I don't see any extra helpful messages using --debug, still the same error response from LE.

Is there any output from the --debug that I should be looking at / should post here to narrow down where the problem could be?

FYI. special character in my case is an ö, if that helps.

@noplanman
Use --debug 2

It seems that here is something wrong with the char ö.

let me check and fix.

Doesn't seem to help. I get more output (obviously), but the core issue is the same one.

Any other ideas?

Edit: Just saw your reply.

@noplanman
Wait please.

@noplanman
Please try again.

@Neilpang Perfect, works like a charm now! Thanks a lot 😃

@Neilpang According to the bug I reported to LE,

https://github.com/letsencrypt/boulder/issues/2277
https://github.com/letsencrypt/boulder/pull/2278

The IDN support of the CA Software (Known as Boulder) still has some critical bugs on PSL list identifying to solve. You had better to reopen the issue and wait until the bug solved.

Log for Reference:

[Sat Oct 22 02:49:03 EDT 2016] Getting new-authz for domain='wangqiliang.xn--fiqs8s'
[Sat Oct 22 02:49:03 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:49:03 EDT 2016] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "wangqiliang.xn--fiqs8s"}}'
[Sat Oct 22 02:49:03 EDT 2016] RSA key
[Sat Oct 22 02:49:04 EDT 2016] GET
[Sat Oct 22 02:49:04 EDT 2016] url='https://acme-v01.api.letsencrypt.org/directory'
[Sat Oct 22 02:49:04 EDT 2016] timeout
[Sat Oct 22 02:49:04 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:49:05 EDT 2016] ret='0'
[Sat Oct 22 02:49:05 EDT 2016] POST
[Sat Oct 22 02:49:05 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:49:05 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:49:05 EDT 2016] _ret='0'
[Sat Oct 22 02:49:05 EDT 2016] code='400'
[Sat Oct 22 02:49:05 EDT 2016] new-authz error: {"type":"urn:acme:error:malformed","detail":"Name does not end in a public suffix","status": 400}

[Sat Oct 22 02:54:09 EDT 2016] Getting new-authz for domain='wangqiliang.中国'
[Sat Oct 22 02:54:09 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:54:09 EDT 2016] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "wangqiliang.中国"}}'
[Sat Oct 22 02:54:09 EDT 2016] RSA key
[Sat Oct 22 02:54:10 EDT 2016] GET
[Sat Oct 22 02:54:10 EDT 2016] url='https://acme-v01.api.letsencrypt.org/directory'
[Sat Oct 22 02:54:10 EDT 2016] timeout
[Sat Oct 22 02:54:10 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:54:10 EDT 2016] ret='0'
[Sat Oct 22 02:54:10 EDT 2016] POST
[Sat Oct 22 02:54:10 EDT 2016] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Sat Oct 22 02:54:10 EDT 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Sat Oct 22 02:54:11 EDT 2016] _ret='0'
[Sat Oct 22 02:54:11 EDT 2016] code='400'
[Sat Oct 22 02:54:11 EDT 2016] new-authz error: {"type":"urn:acme:error:malformed","detail":"Invalid character in DNS name","status": 400}

[root@wangqiliang .acme.sh]#  acme.sh --issue \
>  -d wangqiliang.中国  --dns dns_cf
[Sun Oct 23 10:38:08 EDT 2016] Registering account
[Sun Oct 23 10:38:10 EDT 2016] Already registered
[Sun Oct 23 10:38:12 EDT 2016] Update success.
[Sun Oct 23 10:38:12 EDT 2016] Single domain='wangqiliang.中国'
idn: could not convert from ANSI_X3.4-1968 to UTF-8
end of string encountered while processing type of subject name element #0
problems making Certificate Request
[Sun Oct 23 10:38:12 EDT 2016] Create CSR error.
[Sun Oct 23 10:38:12 EDT 2016] Please check log file for more details: /root/.acme.sh/acme.sh.log

I noticed that the signed certificate has the CN set to the punycode domain name anyway, so what is the advantage of using the readable one instead of the punycode one?

@noplanman I was trying to know if there is bugs in Boulder.

@wangqiliang
I read your links before. But it's the server end bug, not ours. So, I'd like not to reopen this bug, unless there is client bugs found.

Thanks.

Right. Sorry if my comment came out wrong.

It's more of a general question.

@Neilpang Get it, and Thanks a lot.

@noplanman

The advantage is to simplify the process to the normal non-professional user. They don't even need to know what punycode code is.

It's our goal to make it simple to more users.

Ok, got you. Awesome viewpoint, making easier for everyone!

@wangqiliang you are genius to find that bug 👍

Hey, I have a domain ù.eu.org exhibiting the same behavior: Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Error creating new order :: Invalid character in DNS name","status": 400}
Is it likely the same type of issue (server backend) ?

@justmwa Have you tried it with the punycode version of the domain name?

In your case it would be: xn--qda.eu.org

@noplanman yes, then it's dns_cf that complains about domain not found.