From 58c690696b965602500e72658854d804a0613cbf Mon Sep 17 00:00:00 2001
From: rsiddharth <s@ricketyspace.net>
Date: Sun, 2 Aug 2020 20:37:51 -0400
Subject: acmens.py: sign_csr: fix dns text record content

It should be base64(sha256(key_authorization))

reference: https://tools.ietf.org/html/rfc8555#section-8.4
---
 acmens.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'acmens.py')

diff --git a/acmens.py b/acmens.py
index 05fa749..098903a 100644
--- a/acmens.py
+++ b/acmens.py
@@ -206,6 +206,7 @@ def sign_csr(account_key, csr, email=None, challenge_type='http'):
     challenge = [c for c in chl_result["challenges"] if c["type"] == type_id][0]
     token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge["token"])
     keyauthorization = "{0}.{1}".format(challenge["token"], thumbprint)
+    dns_payload = _b64(hashlib.sha256(keyauthorization.encode()).digest())
 
     # build request for the server to test this challenge.
     test_url = challenge["url"]
@@ -225,7 +226,7 @@ DNS TXT record contents: \"{token}\"
 Notes:
 - Do not include the quotes in the TXT record.
 
-""".format(domain=domain.replace('*.', ''), token=challenge["token"]))
+""".format(domain=domain.replace('*.', ''), token=dns_payload))
     else:
         # Challenge response for http server.
         response_uri = ".well-known/acme-challenge/{0}".format(
-- 
cgit v1.2.3