refactor: remove IDN auto-conversion, pass punycode directly to TLS scripts

Simpler than auto-converting: just pass xn----8sbfwtmcso8g.xn--p1ai directly.
Updated usage comments in both scripts to reflect this.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/init-letsencrypt.sh

@@ -2,9 +2,10 @@
 # Obtain a TLS certificate from Let's Encrypt for one domain.
 #
 # Usage:
-#   sudo ./scripts/init-letsencrypt.sh мои-товары.рф
 #   sudo ./scripts/init-letsencrypt.sh my-products.ru
+#   sudo ./scripts/init-letsencrypt.sh xn----8sbfwtmcso8g.xn--p1ai
 #
+# For IDN/Cyrillic domains, pass the punycode form (certbot requires ASCII).
 # If no argument is given, DOMAIN is read from .env.
 # Run once per domain on first deploy.
 
@@ -29,21 +30,6 @@ fi
 EMAIL="${LETSENCRYPT_EMAIL:-admin@$DOMAIN}"
 ACME_DIR="/var/www/certbot"
 
-# Convert IDN/Cyrillic domain to punycode (certbot requires ASCII)
-PUNYCODE=$(python3 -c "
-import sys
-d = sys.argv[1]
-try:
-    parts = d.split('.')
-    print('.'.join(p.encode('idna').decode('ascii') for p in parts))
-except Exception:
-    print(d)
-" "$DOMAIN" 2>/dev/null || echo "$DOMAIN")
-
-if [ "$PUNYCODE" != "$DOMAIN" ]; then
-  echo "==> IDN domain detected: $DOMAIN → $PUNYCODE"
-fi
-
 echo "==> Obtaining certificate for: $DOMAIN (www.$DOMAIN)"
 echo "    Email: $EMAIL"
 
@@ -58,13 +44,13 @@ sudo certbot certonly \
     --email "$EMAIL" \
     --agree-tos \
     --no-eff-email \
-    -d "$PUNYCODE" \
-    -d "www.$PUNYCODE"
+    -d "$DOMAIN" \
+    -d "www.$DOMAIN"
 
 echo ""
 echo "==> Certificate obtained for $DOMAIN"
-echo "    /etc/letsencrypt/live/$PUNYCODE/fullchain.pem"
-echo "    /etc/letsencrypt/live/$PUNYCODE/privkey.pem"
+echo "    /etc/letsencrypt/live/$DOMAIN/fullchain.pem"
+echo "    /etc/letsencrypt/live/$DOMAIN/privkey.pem"
 echo ""
 echo "==> Generate nginx config and reload:"
 echo "    sudo ./scripts/generate-nginx-conf.sh $DOMAIN"