Dns-01 challenge failure / wildcard certificate

fxbois · May 15, 2018, 4:02pm

I've been trying to implement an ACME-V2 client in PHP.

I am surprised by an error during a dns challenge handling (I am working with the staging endpoint).

My DNS has the two TXT records set with the good values

dig -t TXT _acme-challenge.web-mode.org
_acme-challenge.web-mode.org. IN TXT "aK_ngsNCM-f7nbs67yR0gF8Z0eWUoyhiY1NLOBNXDfg"
_acme-challenge.web-mode.org. IN TXT "EE2gMpn3BWsgi5AEik97yQXkrqW3B6cSQE28Q4jw4-I"

When I respond to the 2 challenges (for web-mode.org and *.web-mode.org) I have this kind of error
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record "EE2gMpn3BWsgi5AEik97yQXkrqW3B6cSQE28Q4jw4-I" (and 1 more) found at _acme-challenge.web-mode.org",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/ZlxGjRejxoyFKh-MFS1igOqhVbaLSfzAjZlYFCtcdFI/127568182",
"token": "aK_ngsNCM-f7nbs67yR0gF8Z0eWUoyhiY1NLOBNXDfg"
}

So it seems to me that let's encrypt has found a good token in the dns zone but says it is not the good one. I am very puzzled.

Do you have any idea ?

_az · May 15, 2018, 11:31pm

You are putting the wrong value into the TXT record and getting a slightly unhelpful error message from the CA.

This:

is not the final key authorization value to put into the DNS record. It has to combined with your account key.

The spec documents how to do this:

key-authz = token || '.' || base64url(JWK_Thumbprint(accountKey))

The spec also has an example of what this should look like - note that the example token LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0 is followed by another value in final HTTP challenge file.

mnordhoff · May 16, 2018, 1:04am

The DNS challenge isn’t exactly the same as the HTTP challenge.

The DNS challenge uses the base64-encoded SHA-256 hash of the key-authz. The HTTP challenge just uses the key-authz.

The right DNS challenge value looks the same as a token, but isn’t.

https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-8.4

system · June 15, 2018, 1:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
'invalid' status for dns-01 challenge in custom acme-client Help	3	1769	May 21, 2019
Is there any better documentation for dns-01 challenge validation?	22	23953	February 24, 2017
DNS-01 challenge for wildcard cert - explanation? Client dev	9	6042	October 12, 2018
ACME DNS Challenge TXT record not found Help	8	18466	February 28, 2019
ACME DNS validation - get 'incorrect TXT' error with the correct value Help	4	495	July 21, 2022

Dns-01 challenge failure / wildcard certificate

Related topics