Dns-01 challenge failure / wildcard certificate


#1

I’ve been trying to implement an ACME-V2 client in PHP.

I am surprised by an error during a dns challenge handling (I am working with the staging endpoint).

My DNS has the two TXT records set with the good values

dig -t TXT _acme-challenge.web-mode.org
_acme-challenge.web-mode.org. IN TXT “aK_ngsNCM-f7nbs67yR0gF8Z0eWUoyhiY1NLOBNXDfg”
_acme-challenge.web-mode.org. IN TXT “EE2gMpn3BWsgi5AEik97yQXkrqW3B6cSQE28Q4jw4-I”

When I respond to the 2 challenges (for web-mode.org and *.web-mode.org) I have this kind of error
{
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Incorrect TXT record “EE2gMpn3BWsgi5AEik97yQXkrqW3B6cSQE28Q4jw4-I” (and 1 more) found at _acme-challenge.web-mode.org”,
“status”: 403
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/challenge/ZlxGjRejxoyFKh-MFS1igOqhVbaLSfzAjZlYFCtcdFI/127568182”,
“token”: “aK_ngsNCM-f7nbs67yR0gF8Z0eWUoyhiY1NLOBNXDfg”
}

So it seems to me that let’s encrypt has found a good token in the dns zone but says it is not the good one. I am very puzzled.

Do you have any idea ?


#2

You are putting the wrong value into the TXT record and getting a slightly unhelpful error message from the CA.

This:

is not the final key authorization value to put into the DNS record. It has to combined with your account key.

The spec documents how to do this:

key-authz = token || '.' || base64url(JWK_Thumbprint(accountKey))

The spec also has an example of what this should look like - note that the example token LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0 is followed by another value in final HTTP challenge file.


#3

The DNS challenge isn’t exactly the same as the HTTP challenge.

The DNS challenge uses the base64-encoded SHA-256 hash of the key-authz. The HTTP challenge just uses the key-authz.

The right DNS challenge value looks the same as a token, but isn’t.

https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-8.4