fix: convert IDN/Cyrillic domains to punycode before calling certbot

certbot rejects non-ASCII domain names; convert using Python's idna
encoder per-label so мои-товары.рф becomes xn--e1afmapc4af.xn--p1af.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/init-letsencrypt.sh

@@ -29,6 +29,21 @@ fi
 EMAIL="${LETSENCRYPT_EMAIL:-admin@$DOMAIN}"
 ACME_DIR="/var/www/certbot"
 
+# Convert IDN/Cyrillic domain to punycode (certbot requires ASCII)
+PUNYCODE=$(python3 -c "
+import sys
+d = sys.argv[1]
+try:
+    parts = d.split('.')
+    print('.'.join(p.encode('idna').decode('ascii') for p in parts))
+except Exception:
+    print(d)
+" "$DOMAIN" 2>/dev/null || echo "$DOMAIN")
+
+if [ "$PUNYCODE" != "$DOMAIN" ]; then
+  echo "==> IDN domain detected: $DOMAIN → $PUNYCODE"
+fi
+
 echo "==> Obtaining certificate for: $DOMAIN (www.$DOMAIN)"
 echo "    Email: $EMAIL"
 
@@ -43,13 +58,13 @@ sudo certbot certonly \
     --email "$EMAIL" \
     --agree-tos \
     --no-eff-email \
-    -d "$DOMAIN" \
-    -d "www.$DOMAIN"
+    -d "$PUNYCODE" \
+    -d "www.$PUNYCODE"
 
 echo ""
 echo "==> Certificate obtained for $DOMAIN"
-echo "    /etc/letsencrypt/live/$DOMAIN/fullchain.pem"
-echo "    /etc/letsencrypt/live/$DOMAIN/privkey.pem"
+echo "    /etc/letsencrypt/live/$PUNYCODE/fullchain.pem"
+echo "    /etc/letsencrypt/live/$PUNYCODE/privkey.pem"
 echo ""
 echo "==> Generate nginx config and reload:"
 echo "    sudo ./scripts/generate-nginx-conf.sh $DOMAIN"