keyAuthorization in dns-01 challenge

should the value of _acme-challenge.mydomain.com TXT dns record be exactly same as what client sent in challenge resource?

In short, no.

You need to sign with the account key ( see https://letsencrypt.github.io/acme-spec/#rfc.section.7.4 )

The client serializes the validation object to UTF-8, then uses its account private key to sign a JWS with the serialized JSON object as its payload. This JWS is NOT REQUIRED to have the “nonce” header parameter.

The record provisioned to the DNS is the “signature” value from the JWS, i.e., the base64-encoded signature value.

here http://ietf-wg-acme.github.io/acme/#rfc.section.7.4
it says sha265 digest is it hexadecimal form?

What language are you writing this in ? mine is a bash script, if looking at that helps ( https://github.com/srvrco/getssl )

i am trying with php

The coding for the DNS challenge token is essentially the same as the HTTP challenge, I think all the other php clients only do the HTTP challenge, but you could check the code for that ( or use your HTTP challenge if you have already written that ).

in your bash script $auth_key is this the variable that is holding TXT dns record _acme-challenge.mydomain.com value ?

Correct, yes.

( $auth_key is the variable that is holding TXT dns record … needed to add text to lengthen the reply :wink: )

i have successfully completed HTTP challenge but dns challenge needs additional sha256 but don’t know exactly.

wow finally got it working.
a stupid mistake in the coding that caused all this headache.

1 Like

What was the mistake? I am trying to get my dns-01 challenge working with PHP.
Trying for the last two days without any luck.

As you mentioned, my http challenge is working fine.

Hi, can you provide the script for me ? thank you.

Hey Hotwop, I’d also like to see a PHP program that can run the dns-01 challenge method.