Dear Community,
Trying staging environment via custom ACME client based on PHP.
Apache Server
The digest for HTTP challenge is retrieved as below,
$privateKey = openssl_pkey_get_private(file_get_contents($PRIVATEKEYFILE));
$details = openssl_pkey_get_details($privateKey);
$header = array(
"e" => LEFunctions::Base64UrlSafeEncode($details["rsa"]["e"]),
"kty" => "RSA",
"n" => LEFunctions::Base64UrlSafeEncode($details["rsa"]["n"])
);
$digest = LEFunctions::Base64UrlSafeEncode(hash('sha256', json_encode($header), true));
The digest retrieved is different than the one expected by ACME even though same private key is used to signRequestJWK and signRequestKid. The difference in digest causing "Key authorization file from server did not match this challenge" as below,
Domain covered:
["beok.world","www.beok.world"]
[27-03-2023 08:48:39] :
No account found, attempting to create account.
[27-03-2023 08:48:41] :
LEClient finished constructing
[27-03-2023 08:48:41] :
No order found for 'beok.world'. Creating new order.
[27-03-2023 08:48:42] :
create order is {"request":"POST https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/new-order","header":"HTTP\/2 201 \r\nserver: nginx\r\ndate: Mon, 27 Mar 2023 08:48:42 GMT\r\ncontent-type: application\/json\r\ncontent-length: 489\r\nboulder-requester: 95312624\r\ncache-control: public, max-age=0, no-cache\r\nlink: ;rel=\"index\"\r\nlocation: https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/order\/95312624\/7967804384\r\nreplay-nonce: A272eBHNDIFaHtooEttDZUhFLBJzmEE636gnEn7n2H19gys\r\nx-frame-options: DENY\r\nstrict-transport-security: max-age=604800\r\n\r\n","status":201,"body":{"status":"pending","expires":"2023-04-03T08:48:42Z","identifiers":[{"type":"dns","value":"beok.world"},{"type":"dns","value":"www.beok.world"}],"authorizations":["https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244"],"finalize":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/finalize\/95312624\/7967804384"}}
[27-03-2023 08:48:43] :
update auths is [{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","identifier":{"type":"dns","value":"beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/7dqKRA","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/qQuyrw","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/2knFzw","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"}]},{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244","identifier":{"type":"dns","value":"www.beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/5ggN_A","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/vFyVwQ","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/neqmeA","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"}]}]
[27-03-2023 08:48:43] :
Created order for 'beok.world'.
[27-03-2023 08:48:43] :
Pending auths is [{"type":"http-01","identifier":"beok.world","filename":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","content":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"},{"type":"http-01","identifier":"www.beok.world","filename":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","content":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"}]
[27-03-2023 08:48:43] :
Pending auths is [{"type":"dns-01","identifier":"beok.world","DNSDigest":"nG6ulUC4Fz_VYixI6eHbTF13v3CrYBqqDLTgHUE9lDs"},{"type":"dns-01","identifier":"www.beok.world","DNSDigest":"DPi4YPDxBkiUAmX12UHtgLM_o-ReRSpyVpNOVFrvN1U"}]
[27-03-2023 08:48:43] :
Pending auths is [{"type":"http-01","identifier":"beok.world","filename":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","content":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"},{"type":"http-01","identifier":"www.beok.world","filename":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","content":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"}]
Creating HTTP challenge file http://beok.world/.well-known/acme-challenge/HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo
[27-03-2023 08:48:53] :
verify auths is [{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","identifier":{"type":"dns","value":"beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/7dqKRA","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/qQuyrw","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/2knFzw","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo"}]},{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244","identifier":{"type":"dns","value":"www.beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/5ggN_A","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/vFyVwQ","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/neqmeA","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"}]}]
[27-03-2023 08:48:54] :
HTTP challenge for 'beok.world' valid.
[27-03-2023 08:48:58] :
Pending auths is [{"type":"dns-01","identifier":"www.beok.world","DNSDigest":"DPi4YPDxBkiUAmX12UHtgLM_o-ReRSpyVpNOVFrvN1U"}]
[27-03-2023 08:48:58] :
Pending auths is [{"type":"http-01","identifier":"www.beok.world","filename":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","content":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE"}]
Creating HTTP challenge file http://www.beok.world/.well-known/acme-challenge/CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo
[27-03-2023 08:49:08] :
verify auths is [{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","identifier":{"type":"dns","value":"beok.world"},"status":"invalid","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE\" != \"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/7dqKRA","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","validationRecord":[{"url":"http:\/\/beok.world\/.well-known\/acme-challenge\/HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","hostname":"beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-27T08:48:54Z"}]},{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244","identifier":{"type":"dns","value":"www.beok.world"},"status":"pending","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/5ggN_A","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"dns-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/vFyVwQ","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"},{"type":"tls-alpn-01","status":"pending","url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/neqmeA","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo"}]}]
[27-03-2023 08:49:09] :
HTTP challenge for 'www.beok.world' valid.
Finalizing the order
[27-03-2023 08:49:12] :
update auths is [{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133234","identifier":{"type":"dns","value":"beok.world"},"status":"invalid","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE\" != \"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133234\/7dqKRA","token":"HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","validationRecord":[{"url":"http:\/\/beok.world\/.well-known\/acme-challenge\/HvU95c2WWGIhxFtd-w-29MEQzwuT8NphkTwSRx6dkoo","hostname":"beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-27T08:48:54Z"}]},{"authorizationURL":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/authz-v3\/5896133244","identifier":{"type":"dns","value":"www.beok.world"},"status":"invalid","expires":"2023-04-03T08:48:42Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge \"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.7VOXAW7fRarPQT4ujHOkD51cisNINrKmwL1AsL6xCIE\" != \"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\"","status":403},"url":"https:\/\/acme-staging-v02.api.letsencrypt.org\/acme\/chall-v3\/5896133244\/5ggN_A","token":"CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","validationRecord":[{"url":"http:\/\/www.beok.world\/.well-known\/acme-challenge\/CaJuyl2mhqoBG09uNjhB1jUeqsn_6lOQyW7jzoHLtgo","hostname":"www.beok.world","port":"80","addressesResolved":["178.32.77.113","2001:41d0:301:3::30"],"addressUsed":"2001:41d0:301:3::30"}],"validated":"2023-03-27T08:49:09Z"}]}]
[27-03-2023 08:49:12] :
Order status for 'beok.world' is 'invalid'. Cannot finalize order.
Can you please check the request and help us identify why ACME is expecting different digest??..
Regards,
~Shyam