Generate dns-01 TXT challenge with ACME-python


#1

Hi,

I’m using acme-python library and I have problems passing the TXT validation of a domain. I construct the TXT value in two steps

  1. key_authorization = token || '.' || base64(JWK_Thumbprint(accountKey))
  2. base64(sha256(key_authorization))

are they correct?

also attaching my testing code

import logging
import os
import pkg_resources
import hashlib
import json

from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
import OpenSSL

from acme import client
from acme import messages
from acme import jose

DIRECTORY_URL = 'https://acme-staging.api.letsencrypt.org/directory'
BITS = 2048  # minimum for Boulder

# generate_private_key requires cryptography>=0.5
key = jose.JWKRSA(key=rsa.generate_private_key(
    public_exponent=65537,
    key_size=BITS,
    backend=default_backend()))
acme = client.Client(DIRECTORY_URL, key)

regr = acme.register()
acme.agree_to_tos(regr)

DOMAIN = 'rata7.calmisko.org'  # example.com is ignored by Boulder

authzr = acme.request_challenges(
    identifier=messages.Identifier(typ=messages.IDENTIFIER_FQDN, value=DOMAIN),
    new_authzr_uri=regr.new_authzr_uri)

for challenge in authzr.body.challenges:
    challenge = challenge.to_json()
    if challenge['type'] == 'dns-01':
        token = challenge['token']

# token || '.' || base64(JWK_Thumbprint(accountKey))
thumbprint = key.thumbprint(hash_function=hashes.SHA256)
key_authorization = token + '.' + jose.b64encode(thumbprint).decode()
# base64(sha256(key_authorization))
validation = jose.b64encode(hashlib.sha256(key_authorization.encode()).digest()).decode()

print('_acme-challenge.' + DOMAIN + ' IN TXT ' + validation)

authzr, authzr_response = acme.poll(authzr)
for challenge in json.loads(authzr_response.content.decode())['challenges']:
    if challenge['type'] == 'dns-01':
        print(challenge)

URL: https://acme-staging.api.letsencrypt.org/acme/challenge/gY1_hYSb-BRSvo-pPzXYrzEfBCE6LcY-ZTSWsgDQTeE/1679110
DIG: _acme-challenge.rata7.calmisko.org. 3599 IN TXT “8bGFl9SNhZzukcwdR7e52gFwq6HaEHB43LbimZQwnLg”