ACME DNS validation - get 'incorrect TXT' error with the correct value

eilon · June 21, 2022, 1:59pm

My domain is: acme-eilon-123.incaptest.co

I ran this command:

https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2772601574

It produced this output:

{
"identifier": {
"type": "dns",
"value": "acme-eilon-123.incaptest.co"
},
"status": "invalid",
"expires": "2022-06-28T13:43:09Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record "DM-FfJAjetBnS1a9IX-wmtxOmjhjceN1SMTg7nZtmq0" found at _acme-challenge.acme-eilon-123.incaptest.co",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2772601574/RFgHdA",
"token": "DM-FfJAjetBnS1a9IX-wmtxOmjhjceN1SMTg7nZtmq0",
"validated": "2022-06-21T13:48:52Z"
}
]
}

Note that the TXT record in the error is the same as the token, what I am doing wrong?

mcpherrinm · June 21, 2022, 2:09pm

The value of the TXT record isn't just the token: it's the base64url-encoded sha256 of a key authorization.

RFC 8555 documents how to construct this in sections 8.1 (for the key authorization) and 8.4, for the DNS challenge type:

rfc8555 section 8.1

rfc8555 section 8.4

eilon · June 21, 2022, 2:29pm

Just went over it now,

Thank you

mcpherrinm · June 21, 2022, 2:49pm

It’s worded very formally, please feel free to ask any questions if there’s anything unclear or you’re having trouble with still.

system · July 21, 2022, 2:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.