Duck DNS add on - add my own domain to the Let's Encrypt config

Is this possible?

I have mydomain.duckdns.org and I have http://My.OwnDomain.com which has a CNAME mapping to my Duck DNS address. I would like Let’s Encrypt to create a certificate for http://My.OwnDomain.com. Is that possible using the Hass.io Duck DNS add on?

Thanks,

James

1 Like

I have made some progress with this (perhaps the fix I have noticed in version 1.5 is helping me get further than before), but am still stuck.

I recieved the following in the Duck DNS add on log:

+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record \"TbgfE52qv9DInN91lqvLmN3NlldcImKgb9duqaEK4Zo\" found at _acme-challenge.MyCustom.Domain.com",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/pZlCyyNk6pYjkjkeDv1uICoQirw56346uWOoAe1E3sI/6060253411",
"token": "54t_1t66Q4NTHIz6_bNUBtw2gP6Z78R4St0IKb3stk"
})

Not really sure where to go from here! I added a text record with the token (from the log) in, but this appears not to be the right value, as when I restart the Duck DNS add on it still fails, and the token given has changed. I feel like if I just manage to get the right text record at _acme-challenge.MyCustom.Domain.com it might work, but I don’t know how to identify what that text record should be…

Did you figure out wich token to use?

Nope :frowning:

has anyone figured this out? I got my initial cert by dropping my webserver and pointing port 80 at the Pi. Now i need to renew and im not looking forward to doing this every 90 days.

1 Like

i too would like a solution. I wonder if I need to generate a different certificate for the duckdns domain and my cname’d domain?

A change request has been put in to the DuckDNS add-on to handle this.

Not sure how long it might take to progress, but see here:
https://github.com/home-assistant/hassio-addons/pull/521

Hi ! they update the add-on to make it possible with alias … but I’m not able to make it work… this is my config

{
“lets_encrypt”: {
“accept_terms”: true,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
},
“token”: “BLAHBLAHBLAH”,
“domains”: [
my.duckdns.org
],
“aliases”: [
myowndomain.com
],
“seconds”: 300
}

I don’t think the add on is actually updated yet; the change is still pending.

i’m also waiting on this to be accepted. is there a way to manually add it to hass.io?

I wonder if this is why when I try to use a wildcard sub subdomain with duckdns it vomits back an error regarding aliases?

Config

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "secrettoken!",
  "domains": [
    "*.example.duckdns.org",
    "example.duckdns.org"
  ],
  "seconds": 300
}

Error

ERROR: Please define a valid alias for your *.example.duckdns.org wildcard-certificate. See domains.txt-documentation for more details.
Processing *.example.duckdns.org with alternative names: example.duckdns.org

Are you aware of any evolution in this topic? I am also a stakeholder, as my office policies in place prevent access to duckdns.org subdomains :frowning:

Work like a charm :

1 Like

I updated the add-on to version 1.12.0.
Now there is an option to specify an alias. Which I did.
When restarting the add-on, it tries to create the certificate for my custom domain, but fails at the domain challenge step.

ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"vykNqHDJgOABKd_DpfloEwkVrb1dz3jgGCdmOBKn5sY\" found at _acme-challenge.my.thisisnotmydomain.com",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4677922027/Nz0nEA",
  "token": "H3vhBvIgg9F5dFKrzGbw8iho13KoAV8PzkojlTtT6Wg"
})

The problem is, that each time I restart the add-on, it generates a new value for the challenge token, so even if I correctly set my dns txt record, still fails next time.
How can we set the challenge token to a known value?

2 Likes

Had the same issue and found out what’s going wrong: the duckdns addon always uses a dns-01 challenge when requesting a certificate. This only works when your provider supports an API for automated creation of DNS records, hence the error.
My workaround is to use the duckdns addon only for IP address resolution and use the lestencrypt addon for the certificates (this addon supports both dns-01 and http-01).

This requires that you configure your router to forward port 80 to your home-assistant IP port 80 (this port will only be open during certificate renewall)

I also changed the certfile and keyfile in the duckdns config to prevent them overwriting the letsencrypt certificates.

The estencrypt addon has one drawback: it does not automatically renew certificates, so you will need to start it every few months.

ef4e708e-c847-4aff-9180-965b12639c42

For everyone still searching for the solution to this problem. I wrote a detailled guide to the solution:

ef4e708e-c847-4aff-9180-965b12639c42