LetsEncrypt in DuckDNS - Fails with Incorrect TXT

Configuration
9

Well. Sure. Ok… I guess…

I set this aside to see if any new answers appeared, and I noticed today that the cert was suddenly valid for both domains.

Here’s all the logs say (notice there is still a KO error):

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[22:08:22] INFO: KO
# INFO: Using main config file /data/workdir/config
Processing byronetta.duckdns.org with alternative names: ha.hynes.ca
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Sep 14 22:57:56 2020 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!

And here’s the configuration:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: fbd4dd22-e601-49c3-8abe-d15e4095ff1f
domains:
  - byronetta.duckdns.org
  - ha.hynes.ca
aliases:
  - domain: ha.hynes.ca
    alias: byronetta.duckdns.org
seconds: 300

So, we will see what comes.

10

And the cert with the SANs:
2020-06-18_22-04-49

11

I’m having very similar issues. I THINK my issue is that I configured the add-on with the duckdns domains only first, it grabbed a valid cert for that, and now won’t renew with my custom domain as a SAN because there’s no way to force it?

Did this finally resolve itself when your original certificate expired? Or did it just randomly start working?

With your custom domain in the domains list how is it answering the let’s encrypt challenge?

Obviously it used the duckdns token to authenticate with duckdns to update the dns txt records there… but the add-on has no way of authenticating with my other dns provider, so i don’t see how this could ever succeed…

Their documentation is very unclear… hoping you might have some wisdom for me.

1 Like
12

Ya… well… woke up one day and couldn’t connect via anything to HA because the cert hadn’t renewed. Nice idea but this is way too flakey for anyone with a domain. I manage dozens of SSL certs, and most of them are being transitioned to LE. This is just too much of a black box of mystery to be worth me trying to troubleshoot. I’m back to HTTP only until I set up my own cert. I have no need/use for DuckDNS, except it was supposed to be how to get the LE cert. Except it doesn’t.

13

Hi, exactly same prob here. Did you get anywhere with it?
I also had it running on a duckdns.org subdomain before I added my own domain.

I don’t understand how on earth it would ever work since there is no way HA can update a txt record on my domain - so I’m not surprised it failing, but no idea how it should work???

OK + Responding to challenge for blah.net authorization...
 + Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ha.blah.net - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9979550384/vNZa9w",
  "token": "X9uZofds60Qi38qIEDqSdoZRtpacfl4eAav3dXqShlQ"
})

Config

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: blah blah
domains:
  - blah.duckdns.org
  - ha.blah.net
aliases:
  - domain: ha.blah.net
    alias: blah.duckdns.org
seconds: 300

My DNS is fine.

Any suggestions welcome.

Thanks :slight_smile:

14

After a lot of messing, I finally found the solution. An additional CNAME is needed to point to

*.ha.mydomain.com

as well as

ha.mydomain.com

both pointing to mydomain.duckdns.org

Thanks to wgrziwa in this post: https://github.com/home-assistant/addons/issues/1331#issuecomment-641191812

3 Likes
15

@Kitkat

Today, you are my favorite person. That worked immediately.

I had put this problem on the backburner since life has been pretty busy - was resorting to accessing my instance from my duckdns url for now. Good find, and thank you for updating this thread.

Cheers! :beer:

1 Like
16

Had a ton more problems when the cert didn’t renew last night. But seem to have fixed it by adding another CNAME:

_acme-challenge.mydomain.com

pointing to

_acme-challenge.mydomain.duckdns.org

Not sure why the *.mydomain stopped working, but adding the above and then rebooting got me up and running again.

1 Like
17

Same problem - hopefully same solution. I updated my records, but they seem to be taking a while to propagate or my HA instance is caching old info.

18

Tried the solutions above and it STILL won’t work. So friggin tired of it. Any other way of fixing this? I was considering to let nginx proxy manager request the ceritficates instead and somehow copy the darn files so that HA and addons can use them, but it seems like a messy solution.

19

I can only encourage you to stick at it. I followed the instructions about 3 or 4 times before they worked. I’m still unclear what/if I did anything different the last time but it did eventually work and the certificates have been fine for a number of months since.

21

I’m somewhat uncertain. This is what I have set now based on the above. It does not all quite make sense to me really but still.

Screenshot 2021-12-27 at 20.55.19
Screenshot 2021-12-27 at 20.55.191682×144 14.7 KB

Screenshot 2021-12-27 at 20.55.13
Screenshot 2021-12-27 at 20.55.131682×274 37.3 KB

Screenshot 2021-12-27 at 20.55.09
Screenshot 2021-12-27 at 20.55.091714×152 17.7 KB

22

Now tried waiting and redoing it all, nothing helps. Any idea what to do?

23

Hi,

Same here, every 3 months I have cert renewal problems, but I have found a procedure that has worked twice in a row now…

Just been through it again and its just worked again fine.

Good luck.

4 Likes
24

I found the same solution just now. FINALLY. It’s a shitty solution as it kills automatic renewal, but at least we get it working.

25

but removing the aliases definition renews the certificate for the duckdns not the custom domain right?

26

Edit:

Due to the lack of updates and unstable working of this add-on I have recently moved to an alternative add-on offered by the HomeAssistant Community Nginx Proxy Manager. Works like a charm and combines the Let’s Encrypt certificate requests and the DuckDNS updates as well into one tool! :blush:

Original post:

After struggling as well with this every 3 months, here’s my current set-up and process for manually renewing the certificates.

1. Add-on Duck DNS (Let’s Encrypt support)

domains:
- ha-customdomain.duckdns.org
token: *******-****-****-************
aliases:
- domain: ha.customdomain.eu
  alias: ha-customdomain.duckdns.org
lets_encrypt:
accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem
seconds: 300

2. Add-on NGINX Home Assistant SSL proxy

domain: ha.customdomain.eu
hsts: ""
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
active: true
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf

3. configuration.yaml

Make sure you include the below options within your homeassistant configuration file. Note that the use of http\base_url is deprecated. (article)

...
homeassistant:
  external_url: https://ha.customdomain.eu  # Set external vhost
  internal_url: http://[local_ip]:8123 # Replace with your local ip

# HTTP listeners configuration
http:
  # base_url: http://[local_ip]:8123
  #  ssl_certificate: /ssl/fullchain.pem
  #  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
...

4. DNS Zone customdomain.eu

*.ha.customdomain.eu.           CNAME   ha-customdomain.duckdns.org.   #ttl 60
ha.customdomain.eu.             CNAME   ha-customdomain.duckdns.org.   #ttl 60

5. Firewall Inbound Destination NAT

public_ip:443 TRANSLATES_TO internal_ip:443

6. Procedure to renew SSL certificate

  • Modify the configuration of add-on Duck DNS by clearing the aliases

    domains:
- ha-customdomain.duckdns.org
token: *******-****-****-************
aliases: []
lets_encrypt:
accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem
seconds: 300

  • Restart the addon and wait for the certificate to renew for your *.duckdns.org domain

  • Recover your original configuration of add-on Duck DNS by setting the aliases again for your custom domain:

    domains:
- ha-customdomain.duckdns.org
token: *******-****-****-************
aliases:
- domain: ha.customdomain.eu
  alias: ha-customdomain.duckdns.org
lets_encrypt:
accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem
seconds: 300

  • Try renewing your certificate again, whilst including your custom domain as a SAN. This might take upto 3 times before being effective.

  • Once the certificate has been renewed you will need to restart the add-on NGINX Home Assistant SSL proxy, so it can pick up the new certificate from /ssl/fullchain.pem as well.

2 Likes
27

Awaiting fix which is ready to merge:

Fix DuckDNS Lets Encrypt certificate creation/renewal failing with “Incorrect TXT record” error by lildude · Pull Request #2662 · home-assistant/addons (github.com)

1 Like
28

Wonderful news.
The PR is already approved. What would be the next steps so that is merged and released as an update for the addon?
My renew is near and would be great to have it a run to confirm it’s fixed.
Thanks!

1 Like
29

You could wait for the repository owner on Github to finally merge it. I have no idea why it is taking this long, maybe he is working on his own fix for it…

If you don’t want to wait you could always fork his repo and migrate/port the add-on to HACS so you can implement your own version with the fix in place already.

1 Like