Initiated verification, but kept prompting failure,After adding the txt record I waited about 5 minutes for the verification to be initiated

  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"O4Slu5DKR0Ppk0Re_ZAeiBqTnOKp0dfBwtvR5M7q_Yg\" found at _acme-challenge.test002.docker.ltd",
    "status": 403
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12065058294/QqMdOQ",
  "token": "O4Slu5DKR0Ppk0Re_ZAeiBqTnOKp0dfBwtvR5M7q_Yg",
  "validated": "2024-04-19T07:00:34Z"

nslookup -q=txt _acme-challenge.test002.docker.ltd


Non-authoritative answer:
_acme-challenge.test002.docker.ltd	text = "O4Slu5DKR0Ppk0Re_ZAeiBqTnOKp0dfBwtvR5M7q_Yg"

With the very little information from your post I have a hard time figuring out what you're trying to do. You've posted your thread in the Client dev section, so I'm assuming you're developing your own ACME client?

Can you perhaps elaborate more (and a lot more please) on how your system is set up? How are you developing your client? Can you post the appropriate code with regard to the validation? What's the actual hostname?

Maybe it's as simple as having actual quotes (") in the TXT RR: there should only be the token, no quotes around it.

Your previous post also did not include much information around your question. I'd like to mention that this Community is mainly for support. While we do like a good puzzle, this is NOT a Community for puzzle enthousiasts. Thus I'd like to encourage you to provide WAY MORE information with your requests: what is it exactly you're doing? What steps did you already take? With what (working!) code? You CAN provide way much information than you're doing now and it's very tiresome for volunteers to have to ask for relevant information which could have been provided from the start. Thank you :slight_smile:


Yes, I am developing a client. Just like the prompt, I found the parsing record. I actually did not add the quotation marks. The query result using nslookup is also correct. O4Slu5DKR0Ppk0Re_ZAeiBqTnOKp0dfBwtvR5M7q_Yg, error. detail also has corresponding prompts, obviously it has been found. txt record, it still prompts incorrect TXT record. I don’t know where the problem is.

From challenge uRL server saw a trailing backslash: do you know why?


The token value you get from the server, for example:

[type] => dns-01
[status] => pending
[url] => https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12071119164/El4v_Q
[token] => DcCSpjolz64RNghUn4tOepFn9xaoM26VyYcLX9wH1Yo

is not the value you have to set as the DNS record. You have to compute the value from the token like this:

keyAuthorization = token || '.' || base64url(Thumbprint(accountKey))
// see: https://datatracker.ietf.org/doc/html/rfc8555/#section-8.1

value = base64url_encode( sha256( keyAuthorization ) )
   A client fulfills this challenge by constructing a key authorization
   from the "token" value provided in the challenge and the client's
   account key.  The client then computes the SHA-256 digest [FIPS180-4]
   of the key authorization.

   The record provisioned to the DNS contains the base64url encoding of
   this digest.  The client constructs the validation domain name by
   prepending the label "_acme-challenge" to the domain name being
   validated, then provisions a TXT record with the digest value under
   that name.

source: https://datatracker.ietf.org/doc/html/rfc8555/#section-8.4

keyAuthorization= 'DpkuhqqjwCHUhMWAHqF0gXNd-S5cBvnHzoLsY_IjrsA.zNbr_luinhMaSlYzkZg_cE_RbxXRewDqwvJWgFTwYmk'
echo base64url_encode( sha256( keyAuthorization ) )
Checking DNS seems to be incorrectresult ,Did I calculate it correctly? What is the correct result?


The calculated value is correct:

php > function base64url($data){ // RFC7515 - Appendix C
php {   return rtrim(strtr(base64_encode($data),'+/','-_'),'=');
php { }
php > $keyAuthorization='DpkuhqqjwCHUhMWAHqF0gXNd-S5cBvnHzoLsY_IjrsA.zNbr_luinhMaSlYzkZg_cE_RbxXRewDqwvJWgFTwYmk';
php > echo base64url(hash('sha256',$keyAuthorization,true));

How do you generate Thumbprint(accountKey)? Are you using RSA or Elliptic Curve for the accountKey?


my acquisition Thumbprint(accountKey) function

 private function getThumbprint(): string
        $private_key = openssl_pkey_get_private($this->privateKey);
        $key_details = openssl_pkey_get_details($private_key);
        $jwk = [
            'e' => base64url_encode($key_details['rsa']['e']),
            'kty' => 'RSA',
            'n' => base64url_encode($key_details['rsa']['n']),
        return base64url_encode(hash('sha256', json_encode($jwk), true));

jwk json

  "e": "AQAB",
  "kty": "RSA",
  "n": "tHd4EshKFE0HboiyKBLjATfWW2Pu80tA4y8v_cxjUiRUlgr3PYNSM3apbo_85zDuqQNsA_zMVnDJmp0hTLpWLG4VBuLbzvECKQJddYdvyd4asskpDA151oD0GUkzHxp6oYDb5q77hBv_jJcUTDPBpfjR_za-YxhmLxEIJWTUnCkR_b5nA5eCeoiSH92paP7R7irQohhpgir9kD7t3tfkkiI2Xj5bgk6Kyo_lJQF_9MdiqvGbatPi3kAKnKh0o_QZ2-NHtDoypWU6XET1kROhs_OJ78FJrsasG5QMy5G7FGG9xi780uK5khZ8g2FO1oiCKRcj-iBv_itOFoQT9TV3tw"

I tried it again and it worked, thank you very much


I'm glad I could help.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.