caddy icon indicating copy to clipboard operation
caddy copied to clipboard
verified publisher icon caddyserver

The punycode domain name cannot apply for a TLS certificate through dns.providers.alidns

Open noxaaa opened this issue 9 months ago • 8 comments

When I use the config below (Original non-ascii domain), caddy will not use the DNS challenge, but use the HTTP challenge, which will cause my application to fail...

NON-ASCII.com {
...
    tls {
        dns alidns {
            access_key_id xxxxxxxxxx
            access_key_secret xxxxxxxxxx
        }
    }
}

Log: {"level":"info","ts":1742189665.757167,"msg":"trying to solve challenge","identifier":"xn--xxxxx.com","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}

When I use punycode, the alibabacloud API does not seem to recognize this domain name

xn--xxxxx.com {
...
    tls {
        dns alidns {
            access_key_id xxxxxxxxxx
            access_key_secret xxxxxxxxxx
        }
    }
}

Log: {"level":"error","ts":1742191837.3605196,"logger":"tls.obtain","msg":"will retry","error":"[xn--xxxxx.com] Obtain: [xn--xxxxx.com] solving challenges: presenting for challenge: adding temporary record for zone \"xn--xxxxx.com.\": get error status: HTTP 400: The specified domain name does not exist. Refresh the page and try again. (order=https://acme-v02.api.letsencrypt.org/acme/order/2266125821/364411677956) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":3.200051829,"max_duration":2592000}

noxaaa avatar Mar 17 '25 06:03 noxaaa

Have you tried running the latest commit from 3 days ago, perchance?

Likely by pure coincodence, I noticed a bug related to punycode last week and fixed it. The bug was when you used unicode domain names, the automation policies generated for them would be applied, which sounds like this:

When I use the config below (Original non-ascii domain), caddy will not use the DNS challenge, but use the HTTP challenge, which will cause my application to fail...

(I was also debugging why a domain name was using the HTTP challenge instead of the DNS challenge when I had configured it in the Caddyfile!)

When I use punycode, the alibabacloud API does not seem to recognize this domain name

This may be a bug in the alidns DNS provider package; each API might have its own rules regarding unicode domain names. IMO they should all just use punycode, but if it still doesn't work after using the latest commit of Caddy, you might want to ask upstream in the alidns repo: https://github.com/libdns/alidns

mholt avatar Mar 17 '25 12:03 mholt

Yes, I installed the latest build via xcaddy yesterday and added this module https://github.com/caddy-dns/alidns

I can get my punycode domain name by running aliyun alidns DescribeDomains through Alibaba Cloud CLI, but when I configure it in Caddyfile, it will report an error HTTP 400: The specified domain name does not exist. Refresh the page and try again.

noxaaa avatar Mar 17 '25 13:03 noxaaa

By default xcaddy uses the latest release, not the latest commit. Make sure you are using the latest with the caddy version command after building. Use xcaddy build master --with github.com/caddy-dns/alidns then use ./caddy version to verify.

mholt avatar Mar 17 '25 14:03 mholt

Hi. I haven't been here in a long time. ☺️

I am unable to issue a certificate when using Punycode domains with Buypass Go SSL. However, I was unable to report this issue because I didn't know if it was on the Buypass Go SSL side or the Caddy side. I found this issue today, so I'll add a comment. But I also need a little more inspection on this.

fu-sen avatar May 20 '25 02:05 fu-sen

Are you also using alidns?

Sorry for the delay. Been dealing with sickness again.

mholt avatar May 20 '25 03:05 mholt

No. I've never used Alidns. So it's not a nameserver issue.

You may have forgotten about me: https://github.com/caddyserver/caddy/issues/3017

fu-sen avatar May 20 '25 03:05 fu-sen

If my Caddy uses Let's Encrypt, this works. LE issues certificates. (This is the default behavior) However, when I added 'acme_ca to Caddyfile, it failed to publish in domains using Punycode. 🤔

{
    acme_ca https://api.buypass.com/acme/directory
    email [email protected]
}

Note: If you want to test this, you can test it by granting a subdomain to your domain. You don't need to buy a Punycode domain For example, if your domain is 'example.you', try 'xn--zckzah.example.you' ( = `テスト.example.you' , Japanese) .

fu-sen avatar May 20 '25 04:05 fu-sen

So, an example workaround if you encounter this problem:

example.com {
  tls [email protected] {
    ca https://api.buypass.com/acme/directory
  }
}

xn--zckzah.example.com {
  tls [email protected] {
    ca https://acme-v02.api.letsencrypt.org/directory
  }
}

fu-sen avatar May 20 '25 04:05 fu-sen