DuckDNS and letsencrypt failing since yesterday

engel75 · October 11, 2023, 3:01pm

I get the following error when I restart my duckdns addon to get new certificates:

[16:44:03] INFO: Renew certificate for domains: kaxxxx.duckdns.org and aliases: 
# INFO: Using main config file /data/workdir/config
Processing kaxxxx.duckdns.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for kaxxxx.duckdns.org
 + Found valid authorization for kaxxxx.duckdns.org
 + 0 pending challenge(s)
 + Requesting certificate...
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/finalize/1249177616/214352567086 (Status 403)
Details:
HTTP/2 403 
server: nginx
date: Wed, 11 Oct 2023 14:44:18 GMT
content-type: application/problem+json
content-length: 256
boulder-requester: 1249177616
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: _s_5u1NQJaXreZ7If1etXIj10P9Vg_-iidBebKrQRv2pt5gF_7g

{
  "type": "urn:ietf:params:acme:error:caa",
  "detail": "Error finalizing order :: While processing CAA for kaxxxxx.duckdns.org: DNS problem: SERVFAIL looking up CAA for kapuz.duckdns.org - the domain's nameservers may be malfunctioning",
  "status": 403
}
/usr/bin/dehydrated: line 737: 1: unbound variable

It was working fine for a couple of month. I did not change anything. Any idea?

tom_l · October 11, 2023, 3:23pm

I think they’ve been having issues recently. They were down yesterday and there have been other issues reported.

The Tailscale addon is simple to set up if you need a free workaround until they sort it out. No port forwarding required either. You only require the tailsacle app (vpn) on your remote devices.

KruseLuds · October 12, 2023, 6:49pm

I had the same issues yesterday but at the end of the day and today it has been much better. I also bend way over backwards to not ‘dis’ them in any way as it has been rock solid (and free of course) for the last 1 1/2 years since I have been using HA. The only thing I try to avoid with a remote access soluition from a phone is having to run it through VPN softare (I believe that is ‘kludgy’ and there should be a more elgant solution!) I did inquire about other options however in another post and for your convenience that is here.

tom_l · October 13, 2023, 12:12am

Personally I find punching security holes in my router (port forwarding) a lot more “kludgey” than using a VPN.

KruseLuds · October 13, 2023, 12:35am

I agree 1,000 percent, on a journey of mprovement…