I have tried to find anything about the current and correct configuration of using SSL with HA. Unfortunately, all the posts I can find are at least a year old which is a very long time in the current environment, and I found nothing that described my error. I am getting an “Challenge is invalid” error in the DuckDNS add-on log. (Shown below.)
I am running HA from the image on an SD card on a Pi.
I am lost about where I could have entered something incorrectly. I read Can't get duckdns to work, but I don’t see anywhere where I have the “https” entered except in the base url, and none of the solutions there seemed to help.
According to https://www.duckdns.org/spec.jsp, returning the KO response means DuckDNS didn’t update (although the IP address is updating). I have verified that the token is correct (although obfuscated below). I don’t know what “Account is already registered!” means and if that’s a good thing or an error.
Any suggestions on where to look next?
bph
This is [part of] what I attempted in configuration.yaml, but HA calls it invalid until the certs exist. So I removed the http section.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[00:19:57] INFO: KO
# INFO: Using main config file /data/workdir/config
Processing byronetta.duckdns.org with alternative names: ha.hynes.ca
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 2 authorizations URLs from the CA
+ Handling authorization for byronetta.duckdns.org
+ Handling authorization for ha.hynes.ca
+ 2 pending challenge(s)
+ Deploying challenge tokens...
OKOK + Responding to challenge for byronetta.duckdns.org authorization...
+ Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Incorrect TXT record \"VVc7_OtGO-38X1_Zn2VOdZDSnUXkb_FMnlOgeaFvVvY\" found at _acme-challenge.byronetta.duckdns.org",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5270070980/Md6giQ",
"token": "K6RQU-w3yZPFsB0HBgGFphOqkA1eGOjL88Q6a-PYAGI"
})
[00:25:32] INFO: KO
[00:30:33] INFO: KO
[00:35:33] INFO: KO
[00:40:34] INFO: KO
[00:45:35] INFO: KO
[00:50:35] INFO: KO
[00:55:36] INFO: KO
Thanks. I will change that … but do you think that’s causing the DuckDNS error? The invalid part of the configuration.yaml seemed to be that the ssl folder and/or very files didn’t exist.
I thought the point of DNS-01 was to avoid having to use http challenges.
However… it seems that the first error (KO) is from DuckDNS, not LE. If DuckDNS Add-on isn’t updating the Txt then obviously the rest will fail. Is it possible to turn on the verbose setting so I can get the error detail (from DD)?
I’d like to find out what “account is already registered” means, too — or at least if that’s normal or an exception.
I do have other systems/sites (both at home and several clients) that use LE’s HTTP validations, and they are, frankly, a pain, as it’s comparatively rare in a business setting to be able to expose port 80, especially on a 1:1 basis. If HA/DuckDNS requires inbound port 80 access to the Pi, that ain’t gonna happen. Port 443 is also already bound to IIS (on a totally different server), so I might have to use a reverse proxy.
HA/DD gets a valid cert issued to the duckdns.org subdomain
By adding cert paths to configuration.yaml (under http); I can access HA via SSL both locally and remotely on port 8123 (which is where I want to leave it for now, 443 is in use).
The question now is how do I get HA/DD to ask LE to add ha.hynes.ca as a subject alternative name to the cert, so that I can access it as ha.hynes.ca not just as byronetta.duckdns.org. I know LE supports this.
The documentation tab on the DuckDNS (see below) describes exactly what I want to do, but adding that to the configuration for DuckDNS seems to cause it to fail (with a KO error), and/or issue a cert without the second name.
Did I miss a step?
Option: aliases (optional)
A list aliases of domains configured on the domains option. This is useful in cases where you would like to use your own domain. Create a CNAME record to point at the DuckDNS subdomain and set this value accordingly.
For example:
domains:
- my-domain.duckdns.org
- ha.my-domain.com
aliases:
- domain: ha.my-domain.com
alias: my-domain.duckdns.org
Also, add your custom domain name to the `domains` array to create the certificate for both domains
I set this aside to see if any new answers appeared, and I noticed today that the cert was suddenly valid for both domains.
Here’s all the logs say (notice there is still a KO error):
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[22:08:22] INFO: KO
# INFO: Using main config file /data/workdir/config
Processing byronetta.duckdns.org with alternative names: ha.hynes.ca
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Sep 14 22:57:56 2020 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!
I’m having very similar issues. I THINK my issue is that I configured the add-on with the duckdns domains only first, it grabbed a valid cert for that, and now won’t renew with my custom domain as a SAN because there’s no way to force it?
Did this finally resolve itself when your original certificate expired? Or did it just randomly start working?
With your custom domain in the domains list how is it answering the let’s encrypt challenge?
Obviously it used the duckdns token to authenticate with duckdns to update the dns txt records there… but the add-on has no way of authenticating with my other dns provider, so i don’t see how this could ever succeed…
Their documentation is very unclear… hoping you might have some wisdom for me.
Ya… well… woke up one day and couldn’t connect via anything to HA because the cert hadn’t renewed. Nice idea but this is way too flakey for anyone with a domain. I manage dozens of SSL certs, and most of them are being transitioned to LE. This is just too much of a black box of mystery to be worth me trying to troubleshoot. I’m back to HTTP only until I set up my own cert. I have no need/use for DuckDNS, except it was supposed to be how to get the LE cert. Except it doesn’t.
Hi, exactly same prob here. Did you get anywhere with it?
I also had it running on a duckdns.org subdomain before I added my own domain.
I don’t understand how on earth it would ever work since there is no way HA can update a txt record on my domain - so I’m not surprised it failing, but no idea how it should work???
OK + Responding to challenge for blah.net authorization...
+ Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ha.blah.net - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9979550384/vNZa9w",
"token": "X9uZofds60Qi38qIEDqSdoZRtpacfl4eAav3dXqShlQ"
})
Today, you are my favorite person. That worked immediately.
I had put this problem on the backburner since life has been pretty busy - was resorting to accessing my instance from my duckdns url for now. Good find, and thank you for updating this thread.
Tried the solutions above and it STILL won’t work. So friggin tired of it. Any other way of fixing this? I was considering to let nginx proxy manager request the ceritficates instead and somehow copy the darn files so that HA and addons can use them, but it seems like a messy solution.
I can only encourage you to stick at it. I followed the instructions about 3 or 4 times before they worked. I’m still unclear what/if I did anything different the last time but it did eventually work and the certificates have been fine for a number of months since.