Http and Dns challenge uses same token?

crenanlouzada · November 25, 2020, 7:07pm

Hi people, someone know if the token (digital signature) is the same in http and dns challenge processes?

Let me be more clear. I am trying to use the client version of the project https://github.com/eggsampler/acme. However it has only the challenge in http mode, which is even working. However i need the dns mode. To sum up I took content from the .well-known / acme-challenge token and put it in the _acme-challenge txt record but it shows me as an incorrect record.

griffin · November 25, 2020, 8:26pm

Welcome to the Let's Encrypt Community, Carlos

They are definitely not the same.

Give me a second and I'll give you the details.

griffin · November 25, 2020, 8:39pm

My PHP...

function b64e($binarystring)
{
  return strtr(rtrim(base64_encode($binarystring), '='), '+/', '-_');
}

function jsone($data)
{
  return json_encode($data, JSON_UNESCAPED_SLASHES);
}

$jwk = [
  "e" => b64e(hex2bin($e)),
  "kty" => "RSA",
  "n" => b64e(hex2bin($n))
];

$Thumbprint = b64e(openssl_digest(jsone($jwk), "sha256", true));

$challengevalue = "{$challenge["token"]}.{$Thumbprint}";

$httpchallengevalue = $challengevalue;

$dnschallengevalue = b64e(openssl_digest($challengevalue, "sha256", true));

_az · November 25, 2020, 9:19pm

When using github.com/eggsampler/acme, there is a function which will give you the required TXT record.

You just need to pass in the KeyAuthorization from the challenge struct (which if you recall, would be the contents of the file for the HTTP challenge):

txt := acme.EncodeDNS01KeyAuthorization(chall.KeyAuthorization)

crenanlouzada · November 25, 2020, 10:46pm

It works, really tks _az

./certbot-dns -domains=renan2.testessl.rs.gov.br -contact=xxxxx@procergs.rs.gov.br

2020/11/25 19:42:14 Connecting to acme directory url: https://acme-staging-v02.api.letsencrypt.org/directory
2020/11/25 19:42:15 Loading account file account.json
2020/11/25 19:42:16 Account url: https://acme-staging-v02.api.letsencrypt.org/acme/acct/16789408
2020/11/25 19:42:16 Creating new order for domains: [renan2.testessl.rs.gov.br]
2020/11/25 19:42:16 Order created: https://acme-staging-v02.api.letsencrypt.org/acme/order/16789408/191698727
2020/11/25 19:42:16 Fetching authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/162049543
2020/11/25 19:42:17 Fetched authorization: renan2.testessl.rs.gov.br
2020/11/25 19:42:17 Creating challenge token file: /var/www/html/.well-known/acme-challenge/TAm7oyoTSGt41NuDvi3eoq85cOoMWNARQdDZZuQ6Z9E
2020/11/25 19:43:17 Updating challenge for authorization renan2.testessl.rs.gov.br: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/162049543/xG5NOQ
2020/11/25 19:43:18 Challenge updated
2020/11/25 19:43:18 Generating certificate private key
2020/11/25 19:43:18 Writing key file: privkey.pem
2020/11/25 19:43:18 Creating csr
2020/11/25 19:43:18 Finalising order: https://acme-staging-v02.api.letsencrypt.org/acme/order/16789408/191698727
2020/11/25 19:43:19 Fetching certificate: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fac527731e5ddb7d1a78ce4cd3e152b67d1c
2020/11/25 19:43:19 Saving certificate to: cert.pem
2020/11/25 19:43:19 Done.

eggsampler · November 25, 2020, 11:12pm

I'm glad you got this sorted, I'll look at adding an example to use this.

crenanlouzada · November 25, 2020, 11:49pm

tks griffin,I think that is same thing that _az said.

griffin · November 26, 2020, 12:03am

It is. I just gave you a peak inside the black box.

system · December 26, 2020, 12:03am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.