DuckDNS aliases not working?

Amardeep · June 12, 2020, 8:32am

Hi everyone, I recently set up a new Home Assistant instance on a rpi 3b+ (currently v.0.110.0), and I have remote access with SSL working using the DuckDNS add-on. I’m trying to set it up to work with my personal domain using the add-on’s “aliases” option. I have a CNAME set up from my personal domain to my DuckDNS domain. My config is as follows:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: MY_TOKEN
domains:
  - MY_DUCKDNS_DOMAIN.duckdns.org
  - MY_DOMAIN
aliases:
  - domain: MY_DOMAIM
    alias: MY_DUCKDNS_DOMAIN.duckdns.org
seconds: 300

I can access remotely with SSL using the MY_DUCKDNS_DOMAIN.duckdns.org, but when I access using MY_DOMAIN, it connects without SSL.

Are aliases not working, or have I do e something wrong?

Amardeep · June 14, 2020, 10:23am

Polite bump. Surely this isn’t a new problem, but despite my hours of Googling, still no luck.

francisp · June 14, 2020, 12:04pm

If you have your own domain, use letsdnsocloud.

Amardeep · June 14, 2020, 4:55pm

Thanks francisp, I’ll check that out!

sharki · July 12, 2020, 3:03pm

Same issue here. For one of my HA installs it worked great (after figuring out the correct CNAME records thanks to this comment ), but for another, the certificate does not become valid for the domain that is set as an alias.

When inspecting the certificate it seems that the ‘Subject Alternative Name’ is not set correctly. Is there a cache that should be removed? Simply reinstalling DuckDNS, or re-adding the domain to DuckDNS does not resolve the issue.

mansouryaacoubi · February 17, 2021, 11:48am

For everyone still searching for the solution to this problem. I wrote a detailled guide to the solution:

MaxVonEvil · February 22, 2021, 4:04am

Hi all, 3 months down the road with HA, still considering myself pretty new to HA. I’m running into what seems is a common issue with the DuckDNS/LetsEncrypt supervisor addon.

TLDR; I’m trying to set up my own with LetsEnrypt certificate. DuckDNS domain cert is generated fine, yet getting the ERROR: Challenge is invalid! full details below) when I try to add my own domain to the configuration

Commentary: It seems there’s something missing from the otherwise helpful guides out there as the letsencrypt API generates a token, which it is looking for as a TXT dns record? The part I’m missing is how does that DNS entry get there? I mean I could add it manually, but as the token changes every time the cert request begins, it’s a moot point. I read something about ACME protocol, which I’m presuming might be what I’m missing, yet it seems my domain registrar/dns provider MyDomain does not support that? Is that the issue I’m having?

Second, I’m reading here and there that I need to open port 80 or 443 temporarily in my router at least temporarily. Port 80 is a no-go as Cox filters that port out, but I can do 443. What is the purpose of this?

This is my duckdns configuration:

lets_encrypt:
 accept_terms: true
 certfile: fullchain.pem
 keyfile: privkey.pem
token: tokentokentokentoken
domains:
 - myname.duckdns.org
aliases:
 - domain: ha.myowndomain.com
   alias: myname.duckdns.org
seconds: 300

When I start up dockdns, this is what the log looks like.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
+ Done!
[09:39:32] INFO: OK
my.ext.ip.addr
NOCHANGE
[09:39:32] INFO: Renew certificate for domains: myname.duckdns.org and aliases: 
ha.myowndomain.com
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing myname.duckdns.org with alternative names: ha.myowndomain.com
 + Creating new directory /data/letsencrypt/mynameduckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for myname.duckdns.org
 + Handling authorization for ha.myowndomain.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OKOK + Responding to challenge for myname.duckdns.org authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"sometokenplaceholder\" found at _acme-challenge.myname.duckdns.org",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/somenumber/someothernumber",
  "token": "anothertokenplaceholder"
})

If anyone can offer advice as to what I need to change it would be hugely appreciated. Do I need to make manual changes on my domain? (I’ve already got a CNAME record for *.myowndomain.com pointing to myname.duckdns.org. I’ve opened TCP/443 and portforwarded it to my HA box. thank you!