Is there any better documentation for dns-01 challenge validation?


#1

[Moderator’s note 2017-05-11: Certbot now supports DNS challenges via the manual plugin, and there are Certbot plugins to automate issuance with some specific providers like certbot-route53]

Is there any better documentation for dns-01 challenge validation ?
any do you know any php based client for dns validation?

thanks.


#2

Better than what, exactly? :smile:

The “official” reference would be the ACME draft.

I’m not aware of any PHP libraries with dns-01 support, but maybe you’d be able to use one of the other alternative clients in your PHP app. (At any rate, reading the existing client implementations with dns-01 support might help you write your own.)


#3

thanks for the quick reply.
can you tell me what should i send in payload?
to this uri ?
https://acme-v01.api.letsencrypt.org/acme/challenge/fBURDd1xoWd07tSfM-EEH7Ayk1_sPZEbqIlR8pvOzzg/84499166


#4

{“type”:“urn:acme:error:malformed”,“detail”:“Unable to update challenge :: Response does not complete challenge”,“status”:400}

tired of seeing this error again and again/


#5

What are you sending to the server when that occurs, and which resource is this about?


#6
$token='mqPEzqRAn2Jl_eXiTTcHn4D3mjGxk9TADBia_pG72OI'; 

$privateKey=openssl_pkey_get_private(file_get_contents('account.key'));
$details = openssl_pkey_get_details($privateKey);


$header = array(
            "alg" => "RS256",
            "jwk" => array(
                "kty" => "RSA",
                "n" => base64url_encode($details["rsa"]["n"]),
                "e" => base64url_encode($details["rsa"]["e"]),
            )
        );
        
        $pubkey_thumbprint = base64url_encode(hash('sha256',json_encode($header['jwk']),true));
        $challenge = $token.'.'.$pubkey_thumbprint;
       $payload=array("resource" => "challenge","keyAuthorization"=>$challenge); 
        
        $protected = $header;
        $protected["nonce"] = get_headers('https://acme-v01.api.letsencrypt.org/directory', 1)['Replay-Nonce'];
        $payload64 = base64url_encode(str_replace('\\/', '/', json_encode($payload)));
        $protected64 = base64url_encode(json_encode($protected));
        openssl_sign($protected64.'.'.$payload64, $signed, $privateKey, "SHA256");
        $signed64 = base64url_encode($signed);
        $data = array(
            'header' => $header,
            'protected' => $protected64,
            'payload' => $payload64,
            'signature' => $signed64
        );

        $post_content=json_encode($data); //data to be posted via curl
        
     $dns_txt_content=base64url_encode(hash('sha256',$challenge,true));  // content for _acme-challenge.mydomain.com  TXT record ?



function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}

#7

any help on this? please


#8

I have been reading up on this too the entire day today and yes documentation out there is very minimal so I hope this helps.

It seems the way to do this is using the letsencrypt.sh script which then calls a hook to your dns or you can call a manual hook which pauses, gives you the TXT record which you can then go and put into your domain file, test it works of course and then continue the script.

After hours of reading :sleeping: I am now about to actually test all of this now. Crazy that 6 hours solid of research amounted to one whole paragraph :joy: but that’s what it’s all about, read read and read some more before even starting to fiddle.


#9

All of the bash and Go clients ( https://github.com/certbot/certbot/wiki/Links ) support the DNS challenge - and most have reasonable documentation about how to use it.


#10

Great, thanks for the link serverco.


#11

Also going to plug my own client, which is designed for getting certificates manually using DNS.


#12

Another solution: We implemented / extended the manual plugin for Certbot. It supports DNS-01, HTTP-01, TLS-SNI-01 verification methods.

It works either by calling an external program / hook which performs the validation - parameters are passed in ENV vars, e.g., TXT token, domain name, … Hooks are compatible with Dehydrated hooks.

Or it works in a JSON mode - STDOUT is JSON only so invoker can read it, process JSON and perform the validation steps. The certbot waits for \n character on STDIN to continue with the verification.

Example of JSON object on STDOUT to verify:

{"cmd": "validate", "type": "dns-01", "validation": "rwfX5jrRQXOiXLOgPL0RM4QtVx0oEIK_pA4Y4eSjqOI", "domain": "_acme-challenge.stoke2.pki.enigmabridge.com", "key_auth": "AfWfkObOD6vyCKXA1tE0Y2Eub9kvltKB7DH5zGxSG04.tRQM98JsABZRm5-NiotcgD212RAUPPbyeDP30Ob_7-0"}

For more documentation and examples please refer to the repo

There is also a blogpost describing the scenario in further detail


#13

the dns-01 challenge is supported by certbot now, without the need for plugins ( it wasn’t when this thread was started :wink: )


#14

If you have a nice scriptable way for DNS-01 challenge with certbot, it would be nice to state an example.


#15

personally I use getssl (as there were things certbot wouldn’t do when I started). but I have done some testing with certbot and cloudflare DNS if no-one else provides some scripts.


#16

I found your comment here

Aaaand my plugin supports the way certbot WILL work when this is merged - scripting. For now, it is not merged so there is no support in the release version of certbot. The plugin supports scripting - as you wanted in the comment…

Moreover the plugin supports JSON output for more complicated integration scenarios (e.g., deployment server calls certbot, Ansible or something like that)


#17

The script plugin is something that I’m looking forward to, yes - that is different to the original question ( and my comment) about the dns-01 challenge being supported in cerbot though.


#18

If you are personally not interested in using DNS validation in practice thats OK. People here asked how to perform DNS validation (e.g., via PHP). I think somebody is not looking for documentation just as a nice reading, but to use it, implement it, integrate it… (e.g., @MitchellK)

So I provide information also for them, that it is possible to do DNS automatically, for example with our plugin (php can call certbot with the plugin, parse JSON OR certbot can call php handler script that does DNS validation). It was not possible to script it or integrate it (with certbot) automatically before, thats the idea of the message.

Btw would be nice to state a disclaimer getssl is your alternative client for LE (and is nice for scripting & automation also, good job)


#19

I’m sure we are talking at cross purposes here …

You say "[quote=“ph4r05, post:18, topic:15665”]
If you are personally not interested in using DNS validation in practice thats OK.
[/quote]

I have no idea where you have this from. I use the DNS challenge all the time. My response above was I use the DNS challenge !!! I’ve written a package that implements the dns challenge (amongst other things), so I’m actually very interested in the DNS challenge ( and why I responded here )

You post to a link on a different topc through ( the scripting plugin) where I “I’m interested in the script plugin for certbot as that will enable a lot of things that were not possible before ( such as placing tokens on remote servers via ssh) which was the reason I wrote getssl in the first place.” And state this is a link to where I’m doing DNS scripting - it wasn’t - hence my comment above that it was " different to the original question"

Since this was an old thread - and 4 months later you responded on it - I simply pointed out that things have changed ( certbot didn’t support the dns-01 challenge then, it does now)

When you asked me for my examples I commented (above in this thread) that most of my DNS implementation has been with a different client, hence there may be others that have better cases to demonstrate using certbot as the client.

in terms of MitechelK, they were asking about a specific bash client ( not PHP ) and there was a response to that.


#20

Basically - there is a plugin, take it or leave it.

As I see it MitechelK, wanted a way to do DNS validation somehow (not manually). I am saying it is possible to do it with hooks now with the plugin & certbot (new information). And it also supports dehydrated DNS hooks, thats it.

Certbot now supports dns-01 challenge, great, thanks for that. But the only plugin I see in the release version of the certbot using dns-01 is the manual plugin = you have to update DNS record on your own, manually, somewhere in DNS admin. Thats kind of hard to automate / parse. So yes, certbot supports dns-01, thats great, but if you want to use it by calling certbot from CLI and script it (e.g., DNS hook) you just cannot do that, without scripting. So for somebody it may be - well certbot supports dns-01 by half, the second part - DNS script does not work yet.