I’ve been trying to work through the DNS challenge verification on the staging ACME server and have a few questions:
If the challenge URI is responding with a 202 and
invalidstatus, does that mean it’s polling DNS and it will eventually go to
validassuming the correct TXT record is in place? What’s the time horizon and polling frequency on this validation?
I’m confused about what exactly should go in the TXT record. The key authorization, as I understand it, is a concatenation of the challenge token, a period, and the JWK thumbprint for the account key.
Is the TXT record then meant to be a base64 encoding of the SHA256 hash of the entire key authorization? What’s the need for the extra level of obfuscation here since the token is randomly assigned to each challenge and the thumbprint is only based on the public key and therefore contains no secret information?
I was able to successfully provide a key authorization but only when using the
go-joselibrary used by boulder. When I tried to create a thumbprint using node-jose I was unable to reproduce an identical thumbprint. Is anyone aware of a Node.js library that can successfully generate an acme-compatible thumbprint?
If I can get these answered, I think I’ll have all I need to build the solution I’m looking to build. Thanks!