Canonicalization node not closed properly

Question

TL;DR <CanonicalizationMethod> node winds up with too many children when using wse-php

I'm using wse-php to sign a SOAP request. I've used plain XmlSecLib to sign Saml in the past, but when using wse-php to construct my security node and sign a specific header element, the node ends up as the parent node to the` node, which is incorrect, and causing my soap request to fail.

Example of the incorrect structure after signing:

<ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:signedinfo>
    <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
        <ds:reference uri="#pfx66175dea-cec7-2bef-e3e3-41f93e072905">
          <ds:transforms>
            <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
            </ds:transform>
          </ds:transforms>
          <ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1">. 
            <ds:digestvalue>Vfgm3qESZl51Tly2gUEosIerE8I=</ds:digestvalue> 
          </ds:digestmethod>
        </ds:reference>
      </ds:signaturemethod>
    </ds:canonicalizationmethod>
  </ds:signedinfo>
  <ds:signaturevalue>...</ds:signaturevalue>
  <ds:keyinfo>
    <wsse:securitytokenreference>
      <wsse:reference valuetype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" uri="#pfx3e1c9c60-13a0-7434-f769-a25570eda011">. 
      </wsse:reference>
    </wsse:securitytokenreference>
  </ds:keyinfo>
</ds:signature>

PHP which is generating the above (not using a WSDL, or SOAP client, rolling my own DOM Document):

$dom = new \DOMDocument('1.0', 'UTF-8');
$envelope = $dom->createElementNS('http://www.w3.org/2003/05/soap-envelope', 'soap:Envelope');
$envelope->setAttributeNS('http://www.w3.org/2000/xmlns/' ,'xmlns:v1',$serviceContract);
$envelope->setAttributeNS('http://www.w3.org/2000/xmlns/' ,'xmlns:v11','$serviceContract');

//.
//.
//I create and append the <soap:body> here
//.
//.

$objWSA = new WSASoap($dom);
$objWSA->addAction($action);
$objWSA->addTo($to);

//Not needed so commenting out
//$objWSA->addMessageID();
//$objWSA->addReplyTo();

$dom = $objWSA->getDoc();

$objWSSE = new WSSESoap($dom);
/* DONT Sign all headers only want to sign specific one could this be at issue?*/
$objWSSE->signBody = false;
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, ['type'=>'private']);
$objKey->loadKey($this->wexSoapX509PrivateKey, true);
        
$objWSSE->signSoapDoc($objKey,['signSpecificHeaders' => ["http://schemas.xmlsoap.org/ws/2004/08/addressing" =>["To" => true] ] ]);

/* Add certificate (BinarySecurityToken) to the message and attach pointer to Signature */
$token = $objWSSE->addBinaryToken(file_get_contents($privKey));
$objWSSE->attachTokentoSig($token);
$objWSSE->addTimestamp(3000);

//move the security header around because they were specific about order. Might mess with canonicalization? But even without this the same thing happens
$header = $envelope->firstChild;
$action = $header->firstChild;
$security = $header->lastChild;
$header->removeChild($security);
$header->insertBefore($security, $action);
$request = $objWSSE->saveXML();
var_dump($request);

I'm stumped. The best I can figure is that something in the order I have done things is off, such that the structure before signing is off and a child gets appended wrong or something.

Can anyone see why that would be happening?