Certificate Update Duck DNS

Installation Home Assistant OS
1

My certificate is expired and can’t get it working again. So also no connections outside my WiFi to Hass.IO is working.

I tried everything and spitting the whole day already through the community and right know don’t have any clue how to solve this.

See below for my settings:
Addon:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "/ssl/fullchain.pem",
    "keyfile": "/ssl/privkey.pem"
  },
  "token": "[****]",
  "domains": [
    "****.duckdns.org"
  ],
  "seconds": 300
}

Configuration.yaml":

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  api_password: !secret api_password
  base_url: ****.duckdns.org

Log from Duck DNS Add on:

starting version 3.2.2
# INFO: Using main config file /data/workdir/config
+ Account already registered!
Fri Dec 29 15:22:17 CET 2017: 
# INFO: Using main config file /data/workdir/config
Processing ****.duckdns.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for ****.duckdns.org...
2

Solved ! ! ! After a evening trying around, I found a few minutes ago the solution! I created a new token on DuckDNS.

3

I have the same issue. Why is a new token needed?

4

To be honest I don’t have any idea but for me I did the job. And after two days of searching and trial and error I’m glad that did the job :slight_smile:

5

I generated a new token, update and restarted the add-on, but the cert and key in /ssl are still the expired ones.

6

For your info I’m using the following settings:

DuckDNS Addon Options:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "****",
  "domains": [
    "****.duckdns.org"
  ],
  "seconds": 300
}

And settings in the configuration file:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  api_password: !secret api_password
  base_url: ****.duckdns.org:8123

Ports 8123 -> 8123 and 443 -> 8123 are forwarded

7

My configs were slightly different, so I tried yours and no luck. The add-on log shows the same before and after with the cert having already been renewed.

Mine originally had /ssl/ pre-pended to the .pem paths in the add-on’s config and https:// in configuration.yaml.

starting version 3.2.2
# INFO: Using main config file /data/workdir/config
+ Account already registered!
Fri Dec 29 17:06:25 EST 2017: OK
xxx.xxx.xxx.xxx
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing yyyy.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 25 00:40:55 2018 GMT (Longer than 30 days). Skipping renew!

So is this add-on checking let’s encrypt for the cert or a local copy?

8

I’m having the same issue - Duckdns skips renew, but looking at the lock icon in the url bar in chrome, it will show the certificate as expired. Did you find a way to force certificate renewal? (Creating a new duckdns token didn’t work for me either)

9

I uninstalled/installed the DuckDNS addon and that worked for me.

10

Thanks! I tried that, and it didn’t work for me because I used the same setting in the module I had before. It turns out I had my security certificate location in duck dns set to a different place then in my configuration.yaml. At some point during initial setup, I had them aligned, so the initial certificates were created, but not updated. It’s worth noting that the DuckDNS default module settings are:
ssl_certificate: /fullchain.pem
whereas the configuration.yaml file has the certificate location slightly different:
ssl_certificate: /ssl/fullchain.pem

11

I thought the default addon settings were for a relative path (no leading /) to the.pem files. Using fullchain.pem in the addon and /ssl/fullchain.pem in configuration.yaml worked for me from the start but not at renewal time.

I dunno… I’ve made so many changes at this point… :open_mouth:

12

Did oyu resolved this issue ? I have the same problem.

13

Anyone crack this yet? Having the EXACT same problem also! Spend days googling this.
Tried everything to get the cert to update.
I do see my .pem files date stamp were updated, but still getting below in log:

KOKO + Responding to challenge for XXX.duckdns.org authorization…

  • Cleaning challenge tokens…
    KOKO + Challenge validation has failed :frowning:
    ERROR: Challenge is invalid! (returned: invalid) (result: {
    “type”: “dns-01”,
    “status”: “invalid”,
    “error”: {
    “type”: “urn:ietf:params:acme:error:unauthorized”,
    “detail”: “Incorrect TXT record “” found at _acme-challenge.XXX.duckdns.org”,
    “status”: 403
    },
    “url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/blabla/FLI5zw”,
    “token”: “bla bla bla”
    })
14

If it means anything, I get the below when run:

C:\Users\XXX>nslookup -q=TXT _acme-challenge.XXX.duckdns.org
Server: cdns2.cox.net
Address: 68.105.28.12

Non-authoritative answer:
_acme-challenge.XXX.duckdns.org text =

1 Like
15

Just created an account to say thank you, I’ve been looking at this for the last couple of days and couldn’t figure out why it wasn’t working. I wasn’t getting any errors in the log or anything and my certificate was apparently good for another few months, but browsers kept seeing an expired certificate a month ago.

I changed the config in duckdns to
certfile: /ssl/fullchain.pem
keyfile: /ssl/privkey.pem
and that fixed it for me. As you say, initially the certificates were created and working no problem but it failed when it needed to renew. My certificates are now working after making that change.

3 Likes
16

I’m tickled pink that a 4 year old comment helped someone out. Thanks!

1 Like
17

This! Thank you!