Let's Encrypt add-on configuration for DNS challenge

frada · August 1, 2022, 7:04am

Hi all,

I have HASSIO installed on a Raspberry Pi 3B+ and I use Duck DNS as free DNS provider; I installed the Let’s Encrypt add-on for Home Assistant and it worked fine until about a month ago, when I changed my ISP.
My previous ISP gave me the possibility to open the public port 80, so I was able to renew my Let’s Encrypt certificate using the HTTP challenge; now my new ISP give me a range of public ports that doesn’t include port 80 (the port range starts at 49152 and I can’t do anything to change this range).

I tried to follow instructions on https://github.com/home-assistant/addons/blob/8d194b2446402ea1602172dcd7f00bf0698d567f/letsencrypt/DOCS.md to enable the DNS challenge but without success due to some configuration option that I am unable to set correctly.

This is the configuration I put on the DNS section of the Let’s Encrypt add-on after selecting the DNS option for the challenge:

email: [email protected]
domains:
  - mydomain.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
challenge: dns
dns:
  provider: duckdns

and this is the Let’s Encrypt add-on log after its restart:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[08:22:13] INFO: Selected DNS Provider: null
[08:22:14] INFO: Use propagation seconds: 60
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --null --null-credentials /data/dnsapikey
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

I am not able to solve this problem due to my limited experience with these kind of problems; please, is it possible to obtain more detailed help about the DNS challenge configuration of the Let’s Encrypt add-on?

Thanks in advance for any hint.

Regards.

pepi0 · August 18, 2022, 9:45am

I’m having the same error with Cloudflare provider. Any ideas ?

frada · August 21, 2022, 9:07am

Hi @pepi0,

reading with more attention the docs, I was able to solve the Let’s Encrypt certificate renewal problem in my case putting these lines

accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem

in the Let’s Encrypt section of the configuration page of the Duck DNS add-on, leaving unchanged the configuration of the Let’s Encrypt add-on.

I hope this can be of some help also in your case.

pepi0 · August 24, 2022, 10:12pm

Thanks for your feeback, I’ve tried but didn’t work.
Basically I fill the information on the form and I’ve added the following on the DNS Field:

email: [email protected]
domains:
  - mydomain.com
accept_terms: true
certfile: fullchain.pem
keyfile: privkey.pem
challenge: dns
algo: secp384r1
dns:
  provider: dns-cloudflare
  cloudflare_api_token: TOKEN

however, on the log I’ve notice the following:

[23:09:52] INFO: Selected DNS Provider: null

As if he’s not getting the DNS Provider or something

KiloBravo · October 25, 2022, 4:48am

I ran into this same error… the resolution for me was to only include the elements of the “dns:” section in the “DNS” field of the configuration page (and not the “dns:” heading). So my “DNS” configuration entry just looks like this:

provider: dns-cloudflare
cloudflare_api_token: <TOKEN>

Seems obvious enough in hindsight, but it wasn’t at all clear to me from the documentation.

requiemmg · January 19, 2023, 5:57pm

Hi, I try to use the inwx dns challenge (pull request from @xant) as I have another server on port 80.
Plugin starts but I always get an authentication error from INWX login. Tried with both 2FA enabled and disabled.

Config:

domains:
  - www.domain.de
email: [email protected]
keyfile: privkey.pem
certfile: fullchain.pem
challenge: dns
dns:
  provider: dns-inwx
  inwx_username: user
  inwx_password: pass
  inwx_shared_secret: ABCDEFGHIJK

Tried also with ’ around user/pass/secret, no difference.
What am I doing wrong?