DuckDNS fails to create cert

nikee · October 11, 2023, 4:59am

I’m trying to set up DuckDNS addon but after filling in the configuration and starting the addon I get this in the log:

 + Deploying challenge tokens...
OK + Responding to challenge for xxxxx.duckdns.org authorization...
 + Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"dns-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:unauthorized"
["error","detail"]	"Incorrect TXT record \"\" found at _acme-challenge.xxxxx.duckdns.org"
["error","status"]	403
["error"]	{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"\" found at _acme-challenge.xxxxx.duckdns.org","status":403}
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/272738501986/-dYCJA"
["token"]	"xxxxxxxxxxxxxxxxxxxxxxxxxx"
["validated"]	"2023-10-11T04:54:37Z")

anon63427907 · October 11, 2023, 6:11am

Could be related : Duckdns is down

nikee · October 11, 2023, 6:16am

Problem for me started yesterday. And I still have the same problem now 14 hour later

anon63427907 · October 11, 2023, 6:25am

Then tell us more which steps you have completed.

nikee · October 11, 2023, 6:54am

All I’ve done is install the addon and added this config:

domains:
  - xxxxx.duckdns.org
token: xxxxxxxxxxxxxxxxxxxxx
aliases: []
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300

tom_l · October 11, 2023, 8:33am

Did you go to duckdns.org and set up your domain?

When you go there, does the ip address reported by your domain admin page match the ip address given to your router by your ISP?

nikee · October 11, 2023, 8:52am

Yes I have set up a domain at duckdns and the IP there matches my WAN IP. So I’m not behind CGNAT

tom_l · October 11, 2023, 8:56am

Have a read of this:

github.com/home-assistant/addons

DuckDNS Alias domain fails dns-01 challenge

opened 03:32PM - 20 May 20 UTC

closed 11:14AM - 09 Feb 21 UTC

AieatAssam

add-on: duckdns

When trying the new alias option in DuckDNS addon-on, the following gets generat…ed (redacted is a placeholder name for a real domain I use, <SNIP> is personally identifiable data I have redacted): ``` # INFO: Using main config file /data/workdir/config Processing redacted.duckdns.org with alternative names: home.redacted.net + Checking domain name(s) of existing cert... changed! + Domain name(s) are not matching! + Names in old certificate: redacted.duckdns.org + Configured names: redacted.duckdns.org home.redacted.net + Forcing renew. + Checking expire date of existing cert... + Valid till Aug 18 09:02:44 2020 GMT Certificate will not expire (Longer than 30 days). Ignoring because renew was forced! + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for redacted.duckdns.org + Found valid authorization for redacted.duckdns.org + Handling authorization for home.redacted.net + 1 pending challenge(s) + Deploying challenge tokens... OK + Responding to challenge for home.redacted.net authorization... + Cleaning challenge tokens... OK + Challenge validation has failed :( ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:dns", "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.redacted.net - check that a DNS record exists for this domain", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/<SNIP>/<SNIP>", "token": "<SNIP>" }) ``` I have added the following CNAME record to my redacted.net domain: **home >> redacted.duckdns.org** The configuration I am using is as follows: ``` lets_encrypt: accept_terms: true certfile: fullchain.pem keyfile: privkey.pem token: <SNIP> domains: - redacted.duckdns.org - home.redacted.net aliases: - domain: home.redacted.net alias: redacted.duckdns.org seconds: 300 ```

nikee · October 11, 2023, 9:21am

But where do I add the CNAME? I’m only usning duckdns
And I dont use any alias

tom_l · October 11, 2023, 9:34am

More this point:

This only works when your provider supports an API for automated creation of DNS records

nikee · October 11, 2023, 10:04am

But this is a addon for duckdns and duckdns is the DNS-provider. I dont understnad what I’m supposed to do

tom_l · October 11, 2023, 10:32am

Try setting your router to use 1.1.1.1 or 8.8.8.8 as the DNS server, instead of your ISP’s DNS server.

nikee · October 11, 2023, 10:38am

I’ve already tried different DNS-server. 1.1.1.1, 1.0.0.1 and 8.8.8.8
Does not solve the issue

tom_l · October 11, 2023, 10:40am

In your router or in home assistant?

nikee · October 11, 2023, 10:46am

Changed in HAOS and in the router

tom_l · October 11, 2023, 10:58am

I’m out of ideas then. Sorry.

nikee · October 12, 2023, 4:53am

Now during the night the addon has created certs. Without me changing anything
So the problem must have been at DuckDNS’s end

tom_l · October 12, 2023, 4:55am

Yeah. There have been a few issues reported in the last couple of days. All their end.