Http and Dns challenge uses same token?

Hi people, someone know if the token (digital signature) is the same in http and dns challenge processes?

Let me be more clear. I am trying to use the client version of the project https://github.com/eggsampler/acme. However it has only the challenge in http mode, which is even working. However i need the dns mode. To sum up I took content from the .well-known / acme-challenge token and put it in the _acme-challenge txt record but it shows me as an incorrect record.

2 Likes

Welcome to the Let's Encrypt Community, Carlos :slightly_smiling_face:

They are definitely not the same.

Give me a second and I'll give you the details.

2 Likes

My PHP...

function b64e($binarystring)
{
  return strtr(rtrim(base64_encode($binarystring), '='), '+/', '-_');
}

function jsone($data)
{
  return json_encode($data, JSON_UNESCAPED_SLASHES);
}

$jwk = [
  "e" => b64e(hex2bin($e)),
  "kty" => "RSA",
  "n" => b64e(hex2bin($n))
];

$Thumbprint = b64e(openssl_digest(jsone($jwk), "sha256", true));

$challengevalue = "{$challenge["token"]}.{$Thumbprint}";

$httpchallengevalue = $challengevalue;

$dnschallengevalue = b64e(openssl_digest($challengevalue, "sha256", true));
1 Like

When using github.com/eggsampler/acme, there is a function which will give you the required TXT record.

You just need to pass in the KeyAuthorization from the challenge struct (which if you recall, would be the contents of the file for the HTTP challenge):

txt := acme.EncodeDNS01KeyAuthorization(chall.KeyAuthorization)
4 Likes

It works, really tks _az

./certbot-dns -domains=renan2.testessl.rs.gov.br -contact=xxxxx@procergs.rs.gov.br

2020/11/25 19:42:14 Connecting to acme directory url: https://acme-staging-v02.api.letsencrypt.org/directory
2020/11/25 19:42:15 Loading account file account.json
2020/11/25 19:42:16 Account url: https://acme-staging-v02.api.letsencrypt.org/acme/acct/16789408
2020/11/25 19:42:16 Creating new order for domains: [renan2.testessl.rs.gov.br]
2020/11/25 19:42:16 Order created: https://acme-staging-v02.api.letsencrypt.org/acme/order/16789408/191698727
2020/11/25 19:42:16 Fetching authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/162049543
2020/11/25 19:42:17 Fetched authorization: renan2.testessl.rs.gov.br
2020/11/25 19:42:17 Creating challenge token file: /var/www/html/.well-known/acme-challenge/TAm7oyoTSGt41NuDvi3eoq85cOoMWNARQdDZZuQ6Z9E
2020/11/25 19:43:17 Updating challenge for authorization renan2.testessl.rs.gov.br: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/162049543/xG5NOQ
2020/11/25 19:43:18 Challenge updated
2020/11/25 19:43:18 Generating certificate private key
2020/11/25 19:43:18 Writing key file: privkey.pem
2020/11/25 19:43:18 Creating csr
2020/11/25 19:43:18 Finalising order: https://acme-staging-v02.api.letsencrypt.org/acme/order/16789408/191698727
2020/11/25 19:43:19 Fetching certificate: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fac527731e5ddb7d1a78ce4cd3e152b67d1c
2020/11/25 19:43:19 Saving certificate to: cert.pem
2020/11/25 19:43:19 Done.

3 Likes

I'm glad you got this sorted, I'll look at adding an example to use this.

3 Likes

tks griffin,I think that is same thing that _az said.

3 Likes

It is. I just gave you a peak inside the black box. :blush:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.