polhenarejos
commented
3 years ago The specs of RFC 8823 claim:
3.0.6: The ACME client concatenates "token-part1" (received over email)
and "token-part2" (received over HTTPS [RFC2818]) to create the
ACME "token" and calculates keyAuthorization (as per Section 8.1
of [RFC8555]). Then, **it returns the base64url-encoded SHA-256
digest** [RFC6234] of the key authorization. The MUA returns the
base64url-encoded SHA-256 digest obtained from the ACME client
in the body of a "response" email message. The "response" email
message structure is described in more details in Section 3.2.
If the MUA is ACME-email-aware, it MUST NOT respond to the same
"challenge" email more than once.
3.2.7: The text/plain body part (whether or not
it is inside multipart/alternative) MUST contain a block of lines
starting with the line "-----BEGIN ACME RESPONSE-----", followed
by one or more lines **containing the base64url-encoded SHA-256
digest** [RFC6234] of the key authorization, calculated from
concatenated token-part1 (received over email) and token-part2
(received over HTTPS)The response must contain the base-64 of the hash, not the hash itself.
In the code, we do not implement the routines of creating the digests and responses, as it is performed in the core of Certbot. In this sense ACME Email and ACME HTTP share the same procedure on creating the responses. The differences come from obtaining the two tokens.
augjoh
When replying to a challenge, the response should be a SHA256 hash. acme_email responds with the raw value instead: