From 4cf6a5f26d568be1739df504ab5326f073133879 Mon Sep 17 00:00:00 2001
From: Fang-Pen Lin <hello@fangpenlin.com>
Date: Fri, 12 Dec 2025 17:15:24 -0800
Subject: [PATCH] Fix dns validation

---
 .../src/ee/services/pki-acme/pki-acme-challenge-service.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/backend/src/ee/services/pki-acme/pki-acme-challenge-service.ts b/backend/src/ee/services/pki-acme/pki-acme-challenge-service.ts
index a7bcde7de3..098e8cdfaa 100644
--- a/backend/src/ee/services/pki-acme/pki-acme-challenge-service.ts
+++ b/backend/src/ee/services/pki-acme/pki-acme-challenge-service.ts
@@ -4,6 +4,7 @@ import axios, { AxiosError } from "axios";
 
 import { TPkiAcmeChallenges } from "@app/db/schemas/pki-acme-challenges";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { isPrivateIp } from "@app/lib/ip/ipRange";
 import { logger } from "@app/lib/logger";
@@ -124,9 +125,11 @@ export const pkiAcmeChallengeServiceFactory = ({
     const recordValues = records.map((chunks) => chunks.join(""));
 
     const thumbprint = challenge.auth.account.publicKeyThumbprint;
-    const expectedChallengeResponseBody = `${challenge.auth.token}.${thumbprint}`;
+    const keyAuthorization = `${challenge.auth.token}.${thumbprint}`;
+    const digest = crypto.nativeCrypto.createHash("sha256").update(keyAuthorization).digest();
+    const expectedChallengeResponseValue = Buffer.from(digest).toString("base64url");
 
-    if (!recordValues.some((recordValue) => recordValue.trim() === expectedChallengeResponseBody)) {
+    if (!recordValues.some((recordValue) => recordValue.trim() === expectedChallengeResponseValue)) {
       throw new AcmeIncorrectResponseError({ message: "ACME DNS-01 challenge response is not correct" });
     }
   };