LetsEncrypt in DuckDNS - Fails with Incorrect TXT

And the cert with the SANs:
2020-06-18_22-04-49

I’m having very similar issues. I THINK my issue is that I configured the add-on with the duckdns domains only first, it grabbed a valid cert for that, and now won’t renew with my custom domain as a SAN because there’s no way to force it?

Did this finally resolve itself when your original certificate expired? Or did it just randomly start working?

With your custom domain in the domains list how is it answering the let’s encrypt challenge?

Obviously it used the duckdns token to authenticate with duckdns to update the dns txt records there… but the add-on has no way of authenticating with my other dns provider, so i don’t see how this could ever succeed…

Their documentation is very unclear… hoping you might have some wisdom for me.

1 Like

Ya… well… woke up one day and couldn’t connect via anything to HA because the cert hadn’t renewed. Nice idea but this is way too flakey for anyone with a domain. I manage dozens of SSL certs, and most of them are being transitioned to LE. This is just too much of a black box of mystery to be worth me trying to troubleshoot. I’m back to HTTP only until I set up my own cert. I have no need/use for DuckDNS, except it was supposed to be how to get the LE cert. Except it doesn’t.

Hi, exactly same prob here. Did you get anywhere with it?
I also had it running on a duckdns.org subdomain before I added my own domain.

I don’t understand how on earth it would ever work since there is no way HA can update a txt record on my domain - so I’m not surprised it failing, but no idea how it should work???

OK + Responding to challenge for blah.net authorization...
 + Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ha.blah.net - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9979550384/vNZa9w",
  "token": "X9uZofds60Qi38qIEDqSdoZRtpacfl4eAav3dXqShlQ"
})

Config

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: blah blah
domains:
  - blah.duckdns.org
  - ha.blah.net
aliases:
  - domain: ha.blah.net
    alias: blah.duckdns.org
seconds: 300

My DNS is fine.

Any suggestions welcome.

Thanks :slight_smile:

After a lot of messing, I finally found the solution. An additional CNAME is needed to point to

*.ha.mydomain.com

as well as

ha.mydomain.com

both pointing to mydomain.duckdns.org

Thanks to wgrziwa in this post: https://github.com/home-assistant/addons/issues/1331#issuecomment-641191812

3 Likes

@Kitkat

Today, you are my favorite person. That worked immediately.

I had put this problem on the backburner since life has been pretty busy - was resorting to accessing my instance from my duckdns url for now. Good find, and thank you for updating this thread.

Cheers! :beer:

1 Like

Had a ton more problems when the cert didn’t renew last night. But seem to have fixed it by adding another CNAME:

_acme-challenge.mydomain.com

pointing to

_acme-challenge.mydomain.duckdns.org

Not sure why the *.mydomain stopped working, but adding the above and then rebooting got me up and running again.

1 Like

Same problem - hopefully same solution. I updated my records, but they seem to be taking a while to propagate or my HA instance is caching old info.

Tried the solutions above and it STILL won’t work. So friggin tired of it. Any other way of fixing this? I was considering to let nginx proxy manager request the ceritficates instead and somehow copy the darn files so that HA and addons can use them, but it seems like a messy solution.

I can only encourage you to stick at it. I followed the instructions about 3 or 4 times before they worked. I’m still unclear what/if I did anything different the last time but it did eventually work and the certificates have been fine for a number of months since.

I’m somewhat uncertain. This is what I have set now based on the above. It does not all quite make sense to me really but still.



Now tried waiting and redoing it all, nothing helps. Any idea what to do?

Hi,

Same here, every 3 months I have cert renewal problems, but I have found a procedure that has worked twice in a row now…

Just been through it again and its just worked again fine.

Good luck.

4 Likes

I found the same solution just now. FINALLY. It’s a shitty solution as it kills automatic renewal, but at least we get it working.

but removing the aliases definition renews the certificate for the duckdns not the custom domain right?

Edit:


Due to the lack of updates and unstable working of this add-on I have recently moved to an alternative add-on offered by the HomeAssistant Community Nginx Proxy Manager. Works like a charm and combines the Let’s Encrypt certificate requests and the DuckDNS updates as well into one tool! :blush:

Original post:


After struggling as well with this every 3 months, here’s my current set-up and process for manually renewing the certificates.

1. Add-on Duck DNS (Let’s Encrypt support)

domains:
- ha-customdomain.duckdns.org
token: *******-****-****-************
aliases:
- domain: ha.customdomain.eu
  alias: ha-customdomain.duckdns.org
lets_encrypt:
accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem
seconds: 300

2. Add-on NGINX Home Assistant SSL proxy

domain: ha.customdomain.eu
hsts: ""
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
active: true
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf

3. configuration.yaml

Make sure you include the below options within your homeassistant configuration file. Note that the use of http\base_url is deprecated. (article)

...
homeassistant:
  external_url: https://ha.customdomain.eu  # Set external vhost
  internal_url: http://[local_ip]:8123 # Replace with your local ip

# HTTP listeners configuration
http:
  # base_url: http://[local_ip]:8123
  #  ssl_certificate: /ssl/fullchain.pem
  #  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
...

4. DNS Zone customdomain.eu

*.ha.customdomain.eu.           CNAME   ha-customdomain.duckdns.org.   #ttl 60
ha.customdomain.eu.             CNAME   ha-customdomain.duckdns.org.   #ttl 60

5. Firewall Inbound Destination NAT

public_ip:443 TRANSLATES_TO internal_ip:443

6. Procedure to renew SSL certificate

  • Modify the configuration of add-on Duck DNS by clearing the aliases

    domains:
    - ha-customdomain.duckdns.org
    token: *******-****-****-************
    aliases: []
    lets_encrypt:
    accept_terms: true
    algo: secp384r1
    certfile: fullchain.pem
    keyfile: privkey.pem
    seconds: 300
    
  • Restart the addon and wait for the certificate to renew for your *.duckdns.org domain

  • Recover your original configuration of add-on Duck DNS by setting the aliases again for your custom domain:

    domains:
    - ha-customdomain.duckdns.org
    token: *******-****-****-************
    aliases:
    - domain: ha.customdomain.eu
      alias: ha-customdomain.duckdns.org
    lets_encrypt:
    accept_terms: true
    algo: secp384r1
    certfile: fullchain.pem
    keyfile: privkey.pem
    seconds: 300
    
  • Try renewing your certificate again, whilst including your custom domain as a SAN. This might take upto 3 times before being effective.

  • Once the certificate has been renewed you will need to restart the add-on NGINX Home Assistant SSL proxy, so it can pick up the new certificate from /ssl/fullchain.pem as well.

2 Likes

Awaiting fix which is ready to merge:

Fix DuckDNS Lets Encrypt certificate creation/renewal failing with “Incorrect TXT record” error by lildude · Pull Request #2662 · home-assistant/addons (github.com)

1 Like

Wonderful news.
The PR is already approved. What would be the next steps so that is merged and released as an update for the addon?
My renew is near and would be great to have it a run to confirm it’s fixed.
Thanks!

1 Like

You could wait for the repository owner on Github to finally merge it. I have no idea why it is taking this long, maybe he is working on his own fix for it…

If you don’t want to wait you could always fork his repo and migrate/port the add-on to HACS so you can implement your own version with the fix in place already.

1 Like

Unfortunately the proposed fix raises other issues for some use cases. This will probably result in the PR not being merged.