From 58c690696b965602500e72658854d804a0613cbf Mon Sep 17 00:00:00 2001 From: rsiddharth Date: Sun, 2 Aug 2020 20:37:51 -0400 Subject: acmens.py: sign_csr: fix dns text record content It should be base64(sha256(key_authorization)) reference: https://tools.ietf.org/html/rfc8555#section-8.4 --- acmens.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/acmens.py b/acmens.py index 05fa749..098903a 100644 --- a/acmens.py +++ b/acmens.py @@ -206,6 +206,7 @@ def sign_csr(account_key, csr, email=None, challenge_type='http'): challenge = [c for c in chl_result["challenges"] if c["type"] == type_id][0] token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge["token"]) keyauthorization = "{0}.{1}".format(challenge["token"], thumbprint) + dns_payload = _b64(hashlib.sha256(keyauthorization.encode()).digest()) # build request for the server to test this challenge. test_url = challenge["url"] @@ -225,7 +226,7 @@ DNS TXT record contents: \"{token}\" Notes: - Do not include the quotes in the TXT record. -""".format(domain=domain.replace('*.', ''), token=challenge["token"])) +""".format(domain=domain.replace('*.', ''), token=dns_payload)) else: # Challenge response for http server. response_uri = ".well-known/acme-challenge/{0}".format( -- cgit v1.2.3