LetsEncrypt in DuckDNS - Fails with Incorrect TXT

I have tried to find anything about the current and correct configuration of using SSL with HA. Unfortunately, all the posts I can find are at least a year old which is a very long time in the current environment, and I found nothing that described my error. I am getting an “Challenge is invalid” error in the DuckDNS add-on log. (Shown below.)

I am running HA from the image on an SD card on a Pi.

I am lost about where I could have entered something incorrectly. I read Can't get duckdns to work, but I don’t see anywhere where I have the “https” entered except in the base url, and none of the solutions there seemed to help.

According to https://www.duckdns.org/spec.jsp, returning the KO response means DuckDNS didn’t update (although the IP address is updating). I have verified that the token is correct (although obfuscated below). I don’t know what “Account is already registered!” means and if that’s a good thing or an error.

Any suggestions on where to look next?

  • bph

This is [part of] what I attempted in configuration.yaml, but HA calls it invalid until the certs exist. So I removed the http section.

http:
  base_url: https://ha.hynes.ca:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  

This is the DuckDNS configuration.

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: fbd4dd22-xxxx-xxxx-xxxx-xxxxxxxxxxxx
domains:
  - byronetta.duckdns.org
  - ha.hynes.ca
aliases:
  - domain: ha.hynes.ca
    alias: byronetta.duckdns.org
seconds: 300

This is the DuckDNS log:

# INFO: Using main config file /data/workdir/config
+ Account already registered!
[00:19:57] INFO: KO
# INFO: Using main config file /data/workdir/config
Processing byronetta.duckdns.org with alternative names: ha.hynes.ca
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for byronetta.duckdns.org
 + Handling authorization for ha.hynes.ca
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OKOK + Responding to challenge for byronetta.duckdns.org authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"VVc7_OtGO-38X1_Zn2VOdZDSnUXkb_FMnlOgeaFvVvY\" found at _acme-challenge.byronetta.duckdns.org",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5270070980/Md6giQ",
  "token": "K6RQU-w3yZPFsB0HBgGFphOqkA1eGOjL88Q6a-PYAGI"
})
[00:25:32] INFO: KO
[00:30:33] INFO: KO
[00:35:33] INFO: KO
[00:40:34] INFO: KO
[00:45:35] INFO: KO
[00:50:35] INFO: KO
[00:55:36] INFO: KO

base_url no longer exists.
It is now internal_url and external_url, both under homeassistant rather than http in your config.

Thanks. I will change that … but do you think that’s causing the DuckDNS error? The invalid part of the configuration.yaml seemed to be that the ssl folder and/or very files didn’t exist.

Nope, just the invalid config error you were seeing.

This

ERROR: Challenge is invalid!

Means that a file that DuckDNS/Letsencrypt placed on your server previously and then tried to retreive was found to be incorrect. See:

Noting in particular these two points:

  • It doesn’t work if your ISP blocks port 80 (this is rare, but some residential ISPs do this).
  • If you have multiple web servers, you have to make sure the file is available on all of them.

Thanks for the reply!

I thought the point of DNS-01 was to avoid having to use http challenges.

However… it seems that the first error (KO) is from DuckDNS, not LE. If DuckDNS Add-on isn’t updating the Txt then obviously the rest will fail. Is it possible to turn on the verbose setting so I can get the error detail (from DD)?

I’d like to find out what “account is already registered” means, too — or at least if that’s normal or an exception.

I do have other systems/sites (both at home and several clients) that use LE’s HTTP validations, and they are, frankly, a pain, as it’s comparatively rare in a business setting to be able to expose port 80, especially on a 1:1 basis. If HA/DuckDNS requires inbound port 80 access to the Pi, that ain’t gonna happen. Port 443 is also already bound to IIS (on a totally different server), so I might have to use a reverse proxy.

1 Like

Exactly. The transfer of a pre-encrypted file negates the need for encrypted challenge-response on the fly. Your file ain’t right.

I don’t know the answers to your other questions, sorry.

See if it works without your alias config.

EDIT: actually, remove the non duckdns domain from from domains:

Well, that’s getting better!
Thank you.

Here’s whats now working:

  1. HA/DD updates the duckdns name to the correct IP
  2. HA/DD gets a valid cert issued to the duckdns.org subdomain
  3. By adding cert paths to configuration.yaml (under http); I can access HA via SSL both locally and remotely on port 8123 (which is where I want to leave it for now, 443 is in use).

The question now is how do I get HA/DD to ask LE to add ha.hynes.ca as a subject alternative name to the cert, so that I can access it as ha.hynes.ca not just as byronetta.duckdns.org. I know LE supports this.

The documentation tab on the DuckDNS (see below) describes exactly what I want to do, but adding that to the configuration for DuckDNS seems to cause it to fail (with a KO error), and/or issue a cert without the second name.

Did I miss a step?

Option: aliases (optional)

A list aliases of domains configured on the domains option. This is useful in cases where you would like to use your own domain. Create a CNAME record to point at the DuckDNS subdomain and set this value accordingly.

For example:

domains:
- my-domain.duckdns.org
- ha.my-domain.com
aliases:
 - domain: ha.my-domain.com
   alias: my-domain.duckdns.org

Also, add your custom domain name to the  `domains`  array to create the certificate for both domains

Well. Sure. Ok… I guess…

I set this aside to see if any new answers appeared, and I noticed today that the cert was suddenly valid for both domains.

Here’s all the logs say (notice there is still a KO error):

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[22:08:22] INFO: KO
# INFO: Using main config file /data/workdir/config
Processing byronetta.duckdns.org with alternative names: ha.hynes.ca
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Sep 14 22:57:56 2020 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!

And here’s the configuration:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: fbd4dd22-e601-49c3-8abe-d15e4095ff1f
domains:
  - byronetta.duckdns.org
  - ha.hynes.ca
aliases:
  - domain: ha.hynes.ca
    alias: byronetta.duckdns.org
seconds: 300

So, we will see what comes.

And the cert with the SANs:
2020-06-18_22-04-49

I’m having very similar issues. I THINK my issue is that I configured the add-on with the duckdns domains only first, it grabbed a valid cert for that, and now won’t renew with my custom domain as a SAN because there’s no way to force it?

Did this finally resolve itself when your original certificate expired? Or did it just randomly start working?

With your custom domain in the domains list how is it answering the let’s encrypt challenge?

Obviously it used the duckdns token to authenticate with duckdns to update the dns txt records there… but the add-on has no way of authenticating with my other dns provider, so i don’t see how this could ever succeed…

Their documentation is very unclear… hoping you might have some wisdom for me.

1 Like

Ya… well… woke up one day and couldn’t connect via anything to HA because the cert hadn’t renewed. Nice idea but this is way too flakey for anyone with a domain. I manage dozens of SSL certs, and most of them are being transitioned to LE. This is just too much of a black box of mystery to be worth me trying to troubleshoot. I’m back to HTTP only until I set up my own cert. I have no need/use for DuckDNS, except it was supposed to be how to get the LE cert. Except it doesn’t.

Hi, exactly same prob here. Did you get anywhere with it?
I also had it running on a duckdns.org subdomain before I added my own domain.

I don’t understand how on earth it would ever work since there is no way HA can update a txt record on my domain - so I’m not surprised it failing, but no idea how it should work???

OK + Responding to challenge for blah.net authorization...
 + Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ha.blah.net - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9979550384/vNZa9w",
  "token": "X9uZofds60Qi38qIEDqSdoZRtpacfl4eAav3dXqShlQ"
})

Config

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: blah blah
domains:
  - blah.duckdns.org
  - ha.blah.net
aliases:
  - domain: ha.blah.net
    alias: blah.duckdns.org
seconds: 300

My DNS is fine.

Any suggestions welcome.

Thanks :slight_smile:

After a lot of messing, I finally found the solution. An additional CNAME is needed to point to

*.ha.mydomain.com

as well as

ha.mydomain.com

both pointing to mydomain.duckdns.org

Thanks to wgrziwa in this post: https://github.com/home-assistant/addons/issues/1331#issuecomment-641191812

3 Likes

@Kitkat

Today, you are my favorite person. That worked immediately.

I had put this problem on the backburner since life has been pretty busy - was resorting to accessing my instance from my duckdns url for now. Good find, and thank you for updating this thread.

Cheers! :beer:

1 Like

Had a ton more problems when the cert didn’t renew last night. But seem to have fixed it by adding another CNAME:

_acme-challenge.mydomain.com

pointing to

_acme-challenge.mydomain.duckdns.org

Not sure why the *.mydomain stopped working, but adding the above and then rebooting got me up and running again.

1 Like

Same problem - hopefully same solution. I updated my records, but they seem to be taking a while to propagate or my HA instance is caching old info.

Tried the solutions above and it STILL won’t work. So friggin tired of it. Any other way of fixing this? I was considering to let nginx proxy manager request the ceritficates instead and somehow copy the darn files so that HA and addons can use them, but it seems like a messy solution.

I can only encourage you to stick at it. I followed the instructions about 3 or 4 times before they worked. I’m still unclear what/if I did anything different the last time but it did eventually work and the certificates have been fine for a number of months since.

I’m somewhat uncertain. This is what I have set now based on the above. It does not all quite make sense to me really but still.