I have made some progress with this (perhaps the fix I have noticed in version 1.5 is helping me get further than before), but am still stuck.
I recieved the following in the Duck DNS add on log:
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record \"TbgfE52qv9DInN91lqvLmN3NlldcImKgb9duqaEK4Zo\" found at _acme-challenge.MyCustom.Domain.com",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/pZlCyyNk6pYjkjkeDv1uICoQirw56346uWOoAe1E3sI/6060253411",
"token": "54t_1t66Q4NTHIz6_bNUBtw2gP6Z78R4St0IKb3stk"
})
Not really sure where to go from here! I added a text record with the token (from the log) in, but this appears not to be the right value, as when I restart the Duck DNS add on it still fails, and the token given has changed. I feel like if I just manage to get the right text record at _acme-challenge.MyCustom.Domain.com it might work, but I don’t know how to identify what that text record should be…
has anyone figured this out? I got my initial cert by dropping my webserver and pointing port 80 at the Pi. Now i need to renew and im not looking forward to doing this every 90 days.
ERROR: Please define a valid alias for your *.example.duckdns.org wildcard-certificate. See domains.txt-documentation for more details.
Processing *.example.duckdns.org with alternative names: example.duckdns.org
I updated the add-on to version 1.12.0.
Now there is an option to specify an alias. Which I did.
When restarting the add-on, it tries to create the certificate for my custom domain, but fails at the domain challenge step.
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record \"vykNqHDJgOABKd_DpfloEwkVrb1dz3jgGCdmOBKn5sY\" found at _acme-challenge.my.thisisnotmydomain.com",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4677922027/Nz0nEA",
"token": "H3vhBvIgg9F5dFKrzGbw8iho13KoAV8PzkojlTtT6Wg"
})
The problem is, that each time I restart the add-on, it generates a new value for the challenge token, so even if I correctly set my dns txt record, still fails next time.
How can we set the challenge token to a known value?
Had the same issue and found out what’s going wrong: the duckdns addon always uses a dns-01 challenge when requesting a certificate. This only works when your provider supports an API for automated creation of DNS records, hence the error.
My workaround is to use the duckdns addon only for IP address resolution and use the lestencrypt addon for the certificates (this addon supports both dns-01 and http-01).
This requires that you configure your router to forward port 80 to your home-assistant IP port 80 (this port will only be open during certificate renewall)
I also changed the certfile and keyfile in the duckdns config to prevent them overwriting the letsencrypt certificates.
The estencrypt addon has one drawback: it does not automatically renew certificates, so you will need to start it every few months.