Let's Encrypt quit working?

Installation Home Assistant OS
1

Recently rebooted HA and now can’t access from outside my network. Here’s my duckdns log:

# INFO: Using main config file /data/workdir/config
+ Account already registered!
[08:30:44] INFO: KO
# INFO: Using main config file /data/workdir/config
Processing xxxx.duckdns.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for xxxx.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
KO + Responding to challenge for xxxx.duckdns.org authorization...
 + Cleaning challenge tokens...
KO + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"\" found at _acme-challenge.xxxx.duckdns.org",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1433547445/j1yZyQ",
  "token": "kR8AQGBZ9WHiEbXkdCYaBA7NQn0XGUYdc68DKlVc4c8"
})
[08:36:24] INFO: KO
[08:41:25] INFO: KO

Not sure what to try. Any help would be appreciated!

2

Having the very same problem, Ive read everything I can find and tried everything suggested. Cant figure it out.!

3

Just a thought but you might want to consider blurring out your domain and duckdns token on that image.

4

The good news is that there appears to be nothing wrong with your setup. I can get to it just fine.

1 Like
5

ok i dont know how that happened but the token that was in that picture was NOT my duckdns token. I shut off duckdns and deleted the pic just for good measure. Just to check, before i shut it down I still couldnt get in. Im lost and more than a little bit concerned.

6

When I try to access HA from the outside, I get a certificate error. This seems like a new problem, but I’m not sure where to start.

7

I got nervous and deleted that domain. im setting it up with a new domain now.

8

Here’s how I fixed it. I deleted fullchain.pem and privkey.pem from the ssl directory, then removed my domain from duckdns. Re-added the same domain and restarted the Duckdns add-on. The pem files were rebuilt and now everything is back.

1 Like
9

Same problem here, but I followed your instructions without luck.

  • Seems the addon doesn’t sent the TXT to duckdns as it shows as empty \"\"
  • my privkey.pem and fullchain.pem are not rebuilt after restart the addon

Looking for a solution :cry:

10

Hi,

did you fix the problem in the meantime? My certificate renew also does not seem to work correctly.

Greetings

11

I also solved it by deleting fullchain.pem and privkey.pem from the ssl directory, then removed my domain from duckdns. Re-added the same domain. The pem files however were rebuilt on a full system restart.

Hoping not getting the same problem again when the new cert expires in another three months…

12

Yeah, no luck! A few months down the line and the same problem occurs. This LetsEncrypt/DuckDNS in Home Assistant is broken for sure. Tried my own solution from last time around but now the interface is not coming back at all (not even on local network connection)! Now struggling with a totally broken HA server. This is a real bummer!

13

Half a day spent fixing HA (removed the lines in the http: section in configuration.yaml by using USB keyboard and my TV to use the undocumented “login” command) and then the certificate:

Removed all aliases from the DuckDNS config leaving only the original line:
aliases: []

Restarted DuckDNS and finally challenge was working. Then added the aliases section back, restarted DuckDNS again and now everything is back to normal (until december 21 when this will most likely happen again).

14

I also just ran into the same problem:

OKOK + Responding to challenge for <mydomain>.duckdns.org authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"dns-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:unauthorized"
["error","detail"]	"Incorrect TXT record \"M25OMYJjoHN2PJq4YvGc5-TcBE_A69PljnnxLkUgRLM\" found at _acme-challenge.<mydomain>.duckdns.org"

I fixed it, as others have done, by doing this:

  1. Deleting the files in ~/ssl/ (use the Terminal & SSH addon, and run rm -rf ~/ssh/*).
  2. Removing the custom domains from DuckDNS config so that the aliases section reads as aliases: [].
  3. Restart DuckDNS, switch to the Log tab and confirm no errors. A new cert and key will have been generated and saved to the ~/ssl directory.
  4. Restore the DuckDNS config to what it was before and restart DuckDNS again. This time my certificate renewed successfully.

I also just set a reminder for me to go look at this forum post on Jan 1 15:58:24 2022 :slight_smile:

5 Likes
15

You’re my hero of the day! Reminding myself to this post as well in a few months :partying_face: Happy New Year! :wink:

2 Likes
16

And exactly 3 months later autorenewal failed again.

But this time less messing about…

  1. Remove aliases, just replace with aliases: [].
  2. Restart the addon
  3. Assuming it renewed ok, add the aliases back in
  4. Restart the addon

Boom!!! Back in business.

4 Likes
17

Super! I also have the calendar set to remind me in december. However, do we know where to report this apparent bug so it might be fixed for everyone before then? I looked last time but couldn’t find any forum for bug reporting.

18

Another 3 months, another manual renewal needed. It looks like this issue has been reported in the HA addons repo here: duckdns can't obtain cert after upgrade to 1.12.5 · Issue #1869 · home-assistant/addons · GitHub

1 Like
19

Thanks for this, was banging my head against a wall for a while trying to figure out what was wrong but seems like it was just this same bug

20

Whooohooo and here we are again. Activity on the GH issue doesn’t look promising, sadly but the workaround still works!