Hello, please advise:
I am creating a client that verifies the domains basakova.cz,*.basakova.cz
I will insert TXT records into DNS according to the returned token from acme.
Subsequent verification returns an error: Incorrect TXT record.
Please why is there an error when the string is the same?
I found similar problems here on the forum. Most solved by waiting for TTL.
I have TTL set to 0, so the changes are visible immediately.
Or there were too many old TXT records.
I only keep 2 TXT up to date.
Most ACME clients will compute this value for you. I assume you're writing your own, in which case you'll have to compute the value. Or if you're using a library, there should be a function to get the TXT record value.
I need to incorporate the generation into the administration, that's why I'm making my client.
Sorry, I'm not very proficient in ssl.
I created a string: "token.fingerprint_account_key" which is the same content that I put in the website when I do http-01 authorization.
Then I tried the whole thing:
1/ the string itself - invalid
2/ openssl_digest(string, sha256) - invalid
3/ base64_url(openssl_digest(string, sha256)) - invalid
4/ base64_url(string) - invalid
Could you please direct me one more time?
I made a fingerprint from the account key I use to log in to acme.
I guess I misunderstood: (in RFC) Compute the SHA-256 digest [FIPS180-4] of the stored key authorization
From the RFC: keyAuthorization = token || '.' || base64url(Thumbprint(accountKey))
That's how you compute the key authorization.
A client fulfills this challenge by constructing a key authorization
from the "token" value provided in the challenge and the client's
account key. The client then computes the SHA-256 digest [FIPS180-4]
of the key authorization.
That's the key authorization above, which is the token, a ., and then the base64 thumbprint.
The record provisioned to the DNS contains the base64url encoding of
this digest.
So the DNS record is the sha256 of the keyAuthorization, base64url-encoded.
That looks like what you've written as option 3 above.
If you can't get this to work, I'd suggest using an off-the-shelf library instead of writing your own from scratch, or at least testing with another client to make sure you're computing the same value
Another recommendation I would make if you're building your own client would be to test against other server implementations, like Pebble, to make sure that you're not just accidentally matching Let's Encrypt's behavior.
But usually you can just use an existing client or library, rather than writing your own, and that makes things much easier.
Thanks everyone for the advice. I tried several other combinations and every time: Invalid.
Just that I used some PHP library. But it only has HTTP-01 authentication. I tried to finish the DNS-01 verification. I guess I'm giving the wrong key.
I will try to use another library.
Thank you very much for your help.
Finally I went through another client in PHP and found the problem. I did it right as you write. Only when using the PHP function openssl_digest I did not pass the 3rd parameter.
I put: openssl_digest(string, sha256);
It should have been: openssl_digest(string, sha256, TRUE);
Now it works!
If anyone needs it, here's a solution in PHP: txt_rdata = base64_encode(openssl_digest(token dot fingerprint_account_key_in_base64, sha256, true))
