-
-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PA rejects domains ending in IDN TLD #2277
Comments
Log for reference:
|
Same here for a domain in
|
This is blocked on investigation by the upstream |
Dependency of library which has only 8 stars is blocking you? In present days number of new TLDs is increasing rapidly and issues will only accumulate. Finally - what is the sense to check domain suffix - you are checking |
You have really bug in IDN domain zones. Example: |
@SDKiller I have abandoned the HTTP-01 method three months ago and I'm now using the DNS-01 Method to verify my domain name. So there will be no problem in |
This pull request updates the publicsuffix-go dependency to version 0.3.0, most notably including weppos/publicsuffix-go#40 and support for IDN TLDs. The PA's TestWillingToIssue unit test is updated to confirm that Boulder is WillingToIssue a well formed IDN domain with an IDN TLD. Prior to c5cc328 this causes the PA unit tests to fail as expected with urn:acme:error:malformed :: Name does not end in a public suffix. After c5cc328 everything is 💯 Per CONTRIBUTING.md the unit tests are confirmed to pass: daniel@XXXXXX:~/go/src/github.com/weppos/publicsuffix-go$ git show -s commit 49fe4b0e8276b314e6703300ac26940d9c090a06 Author: Simone Carletti <weppos@weppos.net> Date: Mon Nov 21 19:26:37 2016 +0100 Release 0.3.0 daniel@XXXXXX:~/go/src/github.com/weppos/publicsuffix-go$ go test ./... ? github.com/weppos/publicsuffix-go/cmd/gen [no test files] ? github.com/weppos/publicsuffix-go/cmd/load [no test files] ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.007s ok github.com/weppos/publicsuffix-go/publicsuffix 0.042s :heart: :beer: and :tada:'s to @weppos for the upstream work required for this fix. We truly appreciate your volunteer work on the PSL and the publicsuffix-go library. You're the best! This resolves #2277.
Great to finally see this issue fixed! @rolandshoemaker do I understand correctly that we don't need to update anything in order to start getting certs for IDN domains? I've got |
When the update will appear on the production servers letsencrypt? https://acme-v01.api.letsencrypt.org/acme/new-authz |
@kachkaev - you're correct, nothing will have to change on your end once the update to Boulder is live in production. @slavonnet No sooner than Dec 1st. There's no deploy this week due to the American Thanksgiving holidays. We do deploys to staging on Tuesdays and deploys to production on Thursdays. |
@cpu did you mean 1 Dec? (that's next Thursday) |
@kachkaev Oops! Yes I meant Dec 1st. I edited my comment above. Apologies for the confusion. |
I just tried a domain ending in .xn--j6w193g (.香港) against the staging server and I still get "Name does not end in a public suffix." Wasn't there supposed to be a deploy yesterday? |
@rqou There were unrelated problems that resulted in the staging release being reverted. You can see the Boulder revision running in staging is +6e85092 which does not include the suffix fix. |
@cpu could you please let us know if (or when) the patch is in prod? I checked one my domain in Excited about this change you're making and happy to be one of the Letsencrypt supporters. Suggest others to donate too so that guys could keep the certs free further! https://letsencrypt.org/donate/ |
@kachkaev Absolutely - I will update this thread when it reaches prod. We appreciate your patience! I promise we're almost there :-) |
I just tried an IDN TLD on staging today and it works! Will this deploy to prod on Thursday? |
That's the plan!
|
We are still waiting? |
@TimKGS Yes - we will comment on the ticket when it's done. You can also watch status.letsencrypt.org |
@kachkaev @slavonnet @TimKGS @rqou, others - the update in production is complete. Can you please verify you're now able to issue for IDN TLDs without error? |
Can verify that it finally works. Successfully got my certs for .コム and .닷컴 without problems 👍 |
.みんな success (with some more punycode in the domain name, using webroot lego) |
Domain .рф success (using ISP Manager, Let's Encrypt plugin) |
Worked for .xn--j6w193g (.香港) using a custom client. |
As a user of popular The error in my case says the following:
If anyone knowledgable can help with a PR in https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion, that'd be fantastic! Really exited the Letsencrypt is finally available for IDNs, according to other comments! That's a great day to celebrate! 🎉 🎉 🎉 |
@kachkaev your issue sounds like it's related to an out-of-date certbot version. It's unrelated to this issue, but if you file an issue on that other repo and tag me I can help out. |
While I know there's nothing more technically difficult about supporting one writing system as opposed to another within IDNs, it's still heartwarming to see that people just commenting on this single issue succeeded in getting certs issued for names in five different scripts on the first day! |
Worked with |
1 similar comment
Worked with |
PA currently rejects domains ending in IDN TLDs (such as
example.xn--fiqs8s
). This appears to be due topublicsuffix-go
'sFind
expecting suffixes to be in unicode rather than punycode and thus rejecting the domain with "Name does not end in a public suffix".Originally reported here.
The text was updated successfully, but these errors were encountered: