LetsEncrypt in DuckDNS - Fails with Incorrect TXT

tigersoul · December 28, 2021, 5:48pm

Now tried waiting and redoing it all, nothing helps. Any idea what to do?

Kitkat · January 7, 2022, 9:50pm

Hi,

Same here, every 3 months I have cert renewal problems, but I have found a procedure that has worked twice in a row now…

Just been through it again and its just worked again fine.

Good luck.

tigersoul · January 12, 2022, 8:28pm

I found the same solution just now. FINALLY. It’s a shitty solution as it kills automatic renewal, but at least we get it working.

andreasc · October 18, 2022, 8:18pm

but removing the aliases definition renews the certificate for the duckdns not the custom domain right?

Thomas_Geens · October 27, 2022, 4:28am

Edit:

Due to the lack of updates and unstable working of this add-on I have recently moved to an alternative add-on offered by the HomeAssistant Community Nginx Proxy Manager. Works like a charm and combines the Let’s Encrypt certificate requests and the DuckDNS updates as well into one tool!

Original post:

After struggling as well with this every 3 months, here’s my current set-up and process for manually renewing the certificates.

1. Add-on Duck DNS (Let’s Encrypt support)

domains:
- ha-customdomain.duckdns.org
token: *******-****-****-************
aliases:
- domain: ha.customdomain.eu
  alias: ha-customdomain.duckdns.org
lets_encrypt:
accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem
seconds: 300

2. Add-on NGINX Home Assistant SSL proxy

domain: ha.customdomain.eu
hsts: ""
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
active: true
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf

3. configuration.yaml

Make sure you include the below options within your homeassistant configuration file. Note that the use of http\base_url is deprecated. (article)

...
homeassistant:
  external_url: https://ha.customdomain.eu  # Set external vhost
  internal_url: http://[local_ip]:8123 # Replace with your local ip

# HTTP listeners configuration
http:
  # base_url: http://[local_ip]:8123
  #  ssl_certificate: /ssl/fullchain.pem
  #  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
...

4. DNS Zone customdomain.eu

*.ha.customdomain.eu.           CNAME   ha-customdomain.duckdns.org.   #ttl 60
ha.customdomain.eu.             CNAME   ha-customdomain.duckdns.org.   #ttl 60

5. Firewall Inbound Destination NAT

public_ip:443 TRANSLATES_TO internal_ip:443

6. Procedure to renew SSL certificate

Modify the configuration of add-on Duck DNS by clearing the aliases

domains:
- ha-customdomain.duckdns.org
token: *******-****-****-************
aliases: []
lets_encrypt:
accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem
seconds: 300

Restart the addon and wait for the certificate to renew for your *.duckdns.org domain

Recover your original configuration of add-on Duck DNS by setting the aliases again for your custom domain:

domains:
- ha-customdomain.duckdns.org
token: *******-****-****-************
aliases:
- domain: ha.customdomain.eu
  alias: ha-customdomain.duckdns.org
lets_encrypt:
accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem
seconds: 300

Try renewing your certificate again, whilst including your custom domain as a SAN. This might take upto 3 times before being effective.
Once the certificate has been renewed you will need to restart the add-on NGINX Home Assistant SSL proxy, so it can pick up the new certificate from /ssl/fullchain.pem as well.

Thomas_Geens · October 27, 2022, 7:15am

Awaiting fix which is ready to merge:

Fix DuckDNS Lets Encrypt certificate creation/renewal failing with “Incorrect TXT record” error by lildude · Pull Request #2662 · home-assistant/addons (github.com)

diamant-x · October 30, 2022, 7:31pm

Wonderful news.
The PR is already approved. What would be the next steps so that is merged and released as an update for the addon?
My renew is near and would be great to have it a run to confirm it’s fixed.
Thanks!

Thomas_Geens · November 6, 2022, 8:34am

You could wait for the repository owner on Github to finally merge it. I have no idea why it is taking this long, maybe he is working on his own fix for it…

If you don’t want to wait you could always fork his repo and migrate/port the add-on to HACS so you can implement your own version with the fix in place already.

Thomas_Geens · January 21, 2023, 8:23am

Unfortunately the proposed fix raises other issues for some use cases. This will probably result in the PR not being merged.

github.com/home-assistant/addons

Fix DuckDNS Lets Encrypt certificate creation/renewal failing with "Incorrect TXT record" error

home-assistant:master ← lildude:fix-duckdns-alias-renew

opened 12:15PM - 10 Sep 22 UTC

lildude

+47 -14

As detailed in https://github.com/home-assistant/addons/issues/2505, the DuckDNS… extension will fail to issue or renew a certificate and fail with the error "Incorrect TXT record" ``` Processing my-ha.duckdns.org with alternative names: my-ha.cooldomain.cz + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for my-ha.duckdns.org + Handling authorization for my-ha.cooldomain.cz + 2 pending challenge(s) + Deploying challenge tokens... OKOK + Responding to challenge for my-ha.duckdns.org authorization... + Cleaning challenge tokens... OKOK + Challenge validation has failed :( ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "dns-01" ["status"] "invalid" ["error","type"] "urn:ietf:params:acme:error:unauthorized" ["error","detail"] "Incorrect TXT record \"1g4FgZoGt2y9WaBs_7TQL7v7jb7lUJz8xNrlixCEuLQ\" found at _acme-challenge.my-ha.duckdns.org" ["error","status"] 403 ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"1g4FgZoGt2y9WaBs_7TQL7v7jb7lUJz8xNrlixCEuLQ\" found at _acme-challenge.my-ha.duckdns.org","status":403} ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/114079207846/9uci7g" ["token"] "mtVWXobHYyfKU8XgjdLUYj6ebiZNqZ89Dh2kYpfLS7g" ["validated"] "2022-05-30T05:50:26Z") [07:55:30] INFO: OK ``` As I've detailed in the issue https://github.com/home-assistant/addons/issues/2505#issuecomment-1242714582: > The issue here is dehydrated that is used for getting/renewing the certificates deploys the challenge tokens for all the domains and then performs the validation for each domain. > > This causes a problem with DuckDNS as it only has a single TXT record which will always be overwritten by the challenge for the last domain in the list. This PR fixes that by requesting the certificates sequentially for each of the aliases. This isn't ideal, but it does the trick and should be fine for most users. Users with a lot of domains or aliases might need to try a few times because of Lets Encrypt's rate limits, but I suspect there won't be many people hitting these. Whilst I'm at it, I've also made the `OK` lines in the output clearer by adding more context to what the hooks are actually doing so the output now looks like this: ``` [13:10:21] INFO: Renew certificate for domains: example.duckdns.org and aliases: example.com [13:10:21] INFO: No certificate found for example.duckdns.org, requesting new certificate. # INFO: Using main config file /data/workdir/config + Creating chain cache directory /data/workdir/chains Processing example.duckdns.org + Creating new directory /data/letsencrypt/example.duckdns.org ... + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 1 authorizations URLs from the CA + Handling authorization for example.duckdns.org + 1 pending challenge(s) + Deploying challenge tokens... OK - setting challenge token for example.duckdns.org + Responding to challenge for example.duckdns.org authorization... + Challenge is valid! + Cleaning challenge tokens... OK - removing challenge token for example.duckdns.org + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done! # INFO: Using main config file /data/workdir/config Processing example.duckdns.org with alternative names: example.com + Checking domain name(s) of existing cert... changed! + Domain name(s) are not matching! + Names in old certificate: example.duckdns.org + Configured names: example.com example.duckdns.org + Forcing renew. + Checking expire date of existing cert... + Valid till Dec 9 11:10:28 2022 GMT (Longer than 30 days). Ignoring because renew was forced! + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for example.duckdns.org + Found valid authorization for example.duckdns.org + Handling authorization for example.com + 1 pending challenge(s) + Deploying challenge tokens... OK - setting challenge token for example.com + Responding to challenge for example.com authorization... + Challenge is valid! + Cleaning challenge tokens... OK - removing challenge token for example.com + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done! ``` And a renew attempt for an already valid certificate will look like this: ``` [13:11:37] INFO: Renew certificate for domains: example.duckdns.org and aliases: example.com [13:11:37] INFO: Checking existing cert... [13:11:37] INFO: Certificate still valid. Skipping renew! ``` I've also fixed an annoyance where first configuring the extension would always have an empty invalid domain name added. Fixes https://github.com/home-assistant/addons/issues/2505