Provided key authorization was incorrect for dns-01 challenge


Haven’t see much documentation about the dns-01 challenge.
I was able to verify my domain using http-01.

For dns-01 i created token using the below steps.
But when i try to verify it, getting the error
Unable to update challenge :: provided key authorization was incorrect.

Code used is pasted below.

$domain = ‘’;
$response = $this->signedRequest(
"/acme/new-authz", array(“resource” => “new-authz”,
“identifier” => array(“type” => “dns”, “value” => $domain)

//get dns token details
$dns_challenge = array_reduce($response[‘challenges’], function ($v, $w) use (&$self) {
return $v ? $v : ($w[‘type’] == “dns-01” ? $w : false);
$dns_token = $dns_challenge[‘token’];
$dns_payload = $dns_token . ‘.’
. Base64UrlSafeEncoder::encode(hash(‘sha256’, json_encode($header), true));

       $dns_payload = hash('sha256',$dns_payload);


Now let’s verify the domain, the function signedRequest_dns
is defined below.
$result = $this->signedRequest_dns(
$challenge_uri, array(
“resource” => “challenge”,
“type” => “dns-01”,
“keyAuthorization” =>$dns_payload,
“token” => $dns_token

/* out put got is
[type] => urn:acme:error:malformed
[detail] => Unable to update challenge :: provided key authorization was incorrect
[status] => 400


function signedRequest_dns(){
$details = openssl_pkey_get_details($privateKey);
$header = array(
“alg” => “RS256”,
“jwk” => array(
“kty” => “RSA”,
“n” => Base64UrlSafeEncoder::encode($details[“rsa”][“n”]),
“e” => Base64UrlSafeEncoder::encode($details[“rsa”][“e”]),

    $protected = $header;
    $protected["nonce"] = $this->client->getLastNonce();

    $payload64 = Base64UrlSafeEncoder::encode(str_replace('\\/', '/', json_encode($payload)));
    $protected64 = Base64UrlSafeEncoder::encode(json_encode($protected));

    openssl_sign($protected64 . '.' . $payload64, $signed, $privateKey, "SHA256");

    $signed64 = Base64UrlSafeEncoder::encode($signed);

    $data = array(
        'header' => $header,
        'protected' => $protected64,
        'payload' => $payload64,
        'signature' => $signed64

    return $this->client->post($uri, json_encode($data));



The best documentation for this is Section 8.4 of the latest ACME draft. Creating the TXT records isn’t meant to be a user-facing activity, but something your ACME client implements for you.

I suspect the issue is with your custom PHP code to generate the token. Have you tried using another ACME client (Certbot, dehydrated, etc) that support DNS-01 challenges? I would compare your code to theirs and see if you can identify the difference. Unfortunately I’m not proficient enough with PHP to help you here.


Thanks for your reply.

What i would like to know is what is the major difference between dns-01 and http-01 ?
As far i understood there is an extra step for creating payload,
$dns_payload = hash(‘sha256’,$dns_payload);

And i sent it. But the response i got is
Unable to update challenge :: provided key authorization was incorrect.

So there is some thing wrong with the calculation of dns_payload.
If any one can clarify that, that will be a great help.


You can find the major differences by comparing Section 8.2 and Section 8.4.

Yes, that error means that the key authorization the server expected to find was not the one it found. Likely this means your side calculated authorization incorrectly. I recommend you compare your code for generating the authorization with code you know works (e.g. in another ACME client like Certbot, Dehydrated, etc).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.