From dbb1f48da71c8a8419b2037966494b42b3bc98a4 Mon Sep 17 00:00:00 2001 From: mguschin Date: Wed, 13 May 2026 14:06:54 +0300 Subject: [PATCH] =?UTF-8?q?fix:=20correct=20punycode=20for=20=D0=BC=D0=BE?= =?UTF-8?q?=D0=B8-=D1=82=D0=BE=D0=B2=D0=B0=D1=80=D1=8B.=D1=80=D1=84=20and?= =?UTF-8?q?=20add=20IDN=20support=20to=20generate-nginx-conf.sh?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit xn--e1afmapc4af.xn--p1af was wrong; correct punycode is xn----8sbfwtmcso8g.xn--p1ai. generate-nginx-conf.sh now converts IDN domains to punycode before expanding the template, so cert paths and server_name directives are always ASCII-safe. Co-Authored-By: Claude Sonnet 4.6 --- nginx/nginx.conf | 8 ++++---- scripts/generate-nginx-conf.sh | 24 ++++++++++++++++++++---- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 8cfb24c..1675f39 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -10,7 +10,7 @@ upstream web { server { listen 80; - server_name xn--e1afmapc4af.xn--p1af www.xn--e1afmapc4af.xn--p1af; + server_name xn----8sbfwtmcso8g.xn--p1ai www.xn----8sbfwtmcso8g.xn--p1ai; location /.well-known/acme-challenge/ { root /var/www/certbot; @@ -23,10 +23,10 @@ server { server { listen 443 ssl; - server_name xn--e1afmapc4af.xn--p1af www.xn--e1afmapc4af.xn--p1af; + server_name xn----8sbfwtmcso8g.xn--p1ai www.xn----8sbfwtmcso8g.xn--p1ai; - ssl_certificate /etc/letsencrypt/live/xn--e1afmapc4af.xn--p1af/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/xn--e1afmapc4af.xn--p1af/privkey.pem; + ssl_certificate /etc/letsencrypt/live/xn----8sbfwtmcso8g.xn--p1ai/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/xn----8sbfwtmcso8g.xn--p1ai/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; diff --git a/scripts/generate-nginx-conf.sh b/scripts/generate-nginx-conf.sh index a747693..3a31cd7 100755 --- a/scripts/generate-nginx-conf.sh +++ b/scripts/generate-nginx-conf.sh @@ -30,11 +30,26 @@ if [ -z "${DOMAIN:-}" ]; then exit 1 fi -CONF_FILE="/etc/nginx/sites-available/${DOMAIN}.conf" -ENABLED_LINK="/etc/nginx/sites-enabled/${DOMAIN}.conf" +# Convert IDN/Cyrillic domain to punycode for cert paths and server_name +PUNYCODE=$(python3 -c " +import sys +d = sys.argv[1] +try: + parts = d.split('.') + print('.'.join(p.encode('idna').decode('ascii') for p in parts)) +except Exception: + print(d) +" "$DOMAIN" 2>/dev/null || echo "$DOMAIN") -echo "==> Generating nginx config for: $DOMAIN" -DOMAIN="$DOMAIN" envsubst '$DOMAIN' < "$TEMPLATE" | sudo tee "$CONF_FILE" > /dev/null +if [ "$PUNYCODE" != "$DOMAIN" ]; then + echo "==> IDN domain detected: $DOMAIN → $PUNYCODE" +fi + +CONF_FILE="/etc/nginx/sites-available/${PUNYCODE}.conf" +ENABLED_LINK="/etc/nginx/sites-enabled/${PUNYCODE}.conf" + +echo "==> Generating nginx config for: $DOMAIN ($PUNYCODE)" +DOMAIN="$PUNYCODE" envsubst '$DOMAIN' < "$TEMPLATE" | sudo tee "$CONF_FILE" > /dev/null if [ ! -L "$ENABLED_LINK" ]; then sudo ln -s "$CONF_FILE" "$ENABLED_LINK" @@ -48,4 +63,5 @@ sudo nginx -t echo "" echo "==> Config written to: $CONF_FILE" +echo " Cert path: /etc/letsencrypt/live/$PUNYCODE/" echo " Reload nginx to apply: sudo systemctl reload nginx"