use dns01 Challenge
lukavia opened this issue · 8 comments
I'm having trouble using dns01 challenge.
As far as i can understand from the token received from the challenge I have to generated a string to put in the _acme-challenge.[domain] dns record.
I've tried to use generateHttp01Payload and use this as the string for the dns record and the payload, but I always get Challenge marked as invalid! from the staging server.
Can you please help?
Can you share the domain where you provisioned the record?
generateHttp01Payload is deprecated by the way, you can use generateKeyAuthorization instead. What does Kelunik\Acme\Verifiers\Dns01::verifyChallenge report?
I've figured it out.
Reading the draft https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-7.5 in order to work I had to do
$payload = $acme->generateHttp01Payload($keyPair,'6bfdj_ha2SJSMeSsPjIspLwAkG-SIhIZm74r_TK3SWU');
echo $payload . PHP_EOL;
$enc = new Base64UrlSafeEncoder;
echo $enc->encode(hash('sha256', $payload, true)) . PHP_EOL;Using this the challenge verified OK.
I'm currently testing with lukav-desktop.barsy.bg
May be you should add a method like generateDNS01Token or similar
I might have missed that one, I haven't used DNS-01 yet. You're right, we need to hash the key authorization again, probably because of the DNS record length. So the code should look like:
<?php
$enc = new Base64UrlSafeEncoder;
$keyAuth = generateKeyAuthorization($keyPair, $token);
$payload = $enc->encode(hash("sha256", $keyAuth, true));I'm not sure what we should pass to generateDns01Token, directly the $keyPair and $token or just the $keyAuthorization?
One would need the $keyAuthorization to answer the challenge anyway, so you might go with that.
Thank you.
And thanks for the great library!