refactor: remove IDN auto-conversion, pass punycode directly to TLS scripts

Simpler than auto-converting: just pass xn----8sbfwtmcso8g.xn--p1ai directly.
Updated usage comments in both scripts to reflect this.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/generate-nginx-conf.sh

@@ -2,9 +2,10 @@
 # Generate an nginx site config for one domain from the template.
 #
 # Usage:
-#   sudo ./scripts/generate-nginx-conf.sh мои-товары.рф
 #   sudo ./scripts/generate-nginx-conf.sh my-products.ru
+#   sudo ./scripts/generate-nginx-conf.sh xn----8sbfwtmcso8g.xn--p1ai
 #
+# For IDN/Cyrillic domains, pass the punycode form.
 # Writes to /etc/nginx/sites-available/<domain>.conf and symlinks to sites-enabled.
 # If no argument is given, DOMAIN is read from .env.
 
@@ -30,26 +31,11 @@ if [ -z "${DOMAIN:-}" ]; then
   exit 1
 fi
 
-# Convert IDN/Cyrillic domain to punycode for cert paths and server_name
+CONF_FILE="/etc/nginx/sites-available/${DOMAIN}.conf"
-PUNYCODE=$(python3 -c "
+ENABLED_LINK="/etc/nginx/sites-enabled/${DOMAIN}.conf"
-import sys
-d = sys.argv[1]
-try:
-    parts = d.split('.')
-    print('.'.join(p.encode('idna').decode('ascii') for p in parts))
-except Exception:
-    print(d)
-" "$DOMAIN" 2>/dev/null || echo "$DOMAIN")
 
-if [ "$PUNYCODE" != "$DOMAIN" ]; then
+echo "==> Generating nginx config for: $DOMAIN"
-  echo "==> IDN domain detected: $DOMAIN → $PUNYCODE"
+DOMAIN="$DOMAIN" envsubst '$DOMAIN' < "$TEMPLATE" | sudo tee "$CONF_FILE" > /dev/null
-fi
-
-CONF_FILE="/etc/nginx/sites-available/${PUNYCODE}.conf"
-ENABLED_LINK="/etc/nginx/sites-enabled/${PUNYCODE}.conf"
-
-echo "==> Generating nginx config for: $DOMAIN ($PUNYCODE)"
-DOMAIN="$PUNYCODE" envsubst '$DOMAIN' < "$TEMPLATE" | sudo tee "$CONF_FILE" > /dev/null
 
 if [ ! -L "$ENABLED_LINK" ]; then
   sudo ln -s "$CONF_FILE" "$ENABLED_LINK"
@@ -63,5 +49,4 @@ sudo nginx -t
 
 echo ""
 echo "==> Config written to: $CONF_FILE"
-echo "    Cert path: /etc/letsencrypt/live/$PUNYCODE/"
 echo "    Reload nginx to apply: sudo systemctl reload nginx"

scripts/init-letsencrypt.sh

@@ -2,9 +2,10 @@
 # Obtain a TLS certificate from Let's Encrypt for one domain.
 #
 # Usage:
-#   sudo ./scripts/init-letsencrypt.sh мои-товары.рф
 #   sudo ./scripts/init-letsencrypt.sh my-products.ru
+#   sudo ./scripts/init-letsencrypt.sh xn----8sbfwtmcso8g.xn--p1ai
 #
+# For IDN/Cyrillic domains, pass the punycode form (certbot requires ASCII).
 # If no argument is given, DOMAIN is read from .env.
 # Run once per domain on first deploy.
 
@@ -29,21 +30,6 @@ fi
 EMAIL="${LETSENCRYPT_EMAIL:-admin@$DOMAIN}"
 ACME_DIR="/var/www/certbot"
 
-# Convert IDN/Cyrillic domain to punycode (certbot requires ASCII)
-PUNYCODE=$(python3 -c "
-import sys
-d = sys.argv[1]
-try:
-    parts = d.split('.')
-    print('.'.join(p.encode('idna').decode('ascii') for p in parts))
-except Exception:
-    print(d)
-" "$DOMAIN" 2>/dev/null || echo "$DOMAIN")
-
-if [ "$PUNYCODE" != "$DOMAIN" ]; then
-  echo "==> IDN domain detected: $DOMAIN → $PUNYCODE"
-fi
-
 echo "==> Obtaining certificate for: $DOMAIN (www.$DOMAIN)"
 echo "    Email: $EMAIL"
 
@@ -58,13 +44,13 @@ sudo certbot certonly \
     --email "$EMAIL" \
     --agree-tos \
     --no-eff-email \
-    -d "$PUNYCODE" \
+    -d "$DOMAIN" \
-    -d "www.$PUNYCODE"
+    -d "www.$DOMAIN"
 
 echo ""
 echo "==> Certificate obtained for $DOMAIN"
-echo "    /etc/letsencrypt/live/$PUNYCODE/fullchain.pem"
+echo "    /etc/letsencrypt/live/$DOMAIN/fullchain.pem"
-echo "    /etc/letsencrypt/live/$PUNYCODE/privkey.pem"
+echo "    /etc/letsencrypt/live/$DOMAIN/privkey.pem"
 echo ""
 echo "==> Generate nginx config and reload:"
 echo "    sudo ./scripts/generate-nginx-conf.sh $DOMAIN"