Unable to get/renew a certificate for internationalized domain name (invalid character)

[jari-e21]

After updating to version 2.2.7 the renewal of a certificate for an internationalized domain name started to fail. The domain name contains the character "ö" (o with umlaut). After reverting back to version 2.2.6 the renewal succeeded again.

Failure log from 2.2.7:

2024-02-27 09:00:06.998 +02:00 [DBG] [HTTP] Send POST to "https://acme-v02.api.letsencrypt.org/acme/order/..."
2024-02-27 09:00:06.998 +02:00 [VRB] [HTTP] Request content: {"protected":"eyJhb..."}
2024-02-27 09:00:07.148 +02:00 [VRB] [HTTP] Request completed with status "OK"
2024-02-27 09:00:07.148 +02:00 [VRB] [HTTP] Response content: {
  "status": "ready",
  "expires": "2024-03-04T07:00:10Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "www.xn--smesite-90a.se"
    },
    {
      "type": "dns",
      "value": "xn--smesite-90a.se"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/...",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/..."
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/..."
}
...
2024-02-27 09:00:07.330 +02:00 [VRB] Submitting CSR
2024-02-27 09:00:07.341 +02:00 [DBG] [HTTP] Send POST to "https://acme-v02.api.letsencrypt.org/acme/finalize/..."
2024-02-27 09:00:07.341 +02:00 [VRB] [HTTP] Request content: {"protected":"eyJhb..."}
2024-02-27 09:00:07.486 +02:00 [WRN] [HTTP] Request completed with status "BadRequest"
2024-02-27 09:00:07.486 +02:00 [VRB] [HTTP] Response content: {
  "type": "urn:ietf:params:acme:error:rejectedIdentifier",
  "detail": "Error finalizing order :: Cannot issue for \"www.sömesite.se\": Domain name contains an invalid character",
  "status": 400
}

Success log from 2.2.6:

2024-02-27 09:18:46.799 +02:00 [DBG] [HTTP] Send POST to "https://acme-v02.api.letsencrypt.org/acme/order/..."
2024-02-27 09:18:46.799 +02:00 [VRB] [HTTP] Request content: {"protected":"eyJhb..."}
2024-02-27 09:18:46.989 +02:00 [VRB] [HTTP] Request completed with status "OK"
2024-02-27 09:18:46.990 +02:00 [VRB] [HTTP] Response content: {
  "status": "ready",
  "expires": "2024-03-04T07:00:10Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "www.xn--smesite-90a.se"
    },
    {
      "type": "dns",
      "value": "xn--smesite-90a.se"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/...",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/..."
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/..."
}
...
2024-02-27 09:18:47.211 +02:00 [VRB] Submitting CSR
2024-02-27 09:18:47.219 +02:00 [DBG] [HTTP] Send POST to "https://acme-v02.api.letsencrypt.org/acme/finalize/..."
2024-02-27 09:18:47.219 +02:00 [VRB] [HTTP] Request content: {"protected":"eyJhb..."}
2024-02-27 09:18:48.143 +02:00 [VRB] [HTTP] Request completed with status "OK"
2024-02-27 09:18:48.143 +02:00 [VRB] [HTTP] Response content: {
  "status": "valid",
  "expires": "2024-03-04T07:00:10Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "www.xn--smesite-90a.se"
    },
    {
      "type": "dns",
      "value": "xn--smesite-90a.se"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/...",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/..."
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/...",
  "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/..."
}

Platform:

• Windows Server 2016 Standard, English
• Version: 2.2.7, 64-bit, pluggable

[WouterTinus]

Hi @jari-e21, thanks for reporting the issue, I've confirmed this as a bug and it's fixed in this build: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49285742/artifacts