addons: Duck DNS addon do not renew certificate
Describe the issue you are experiencing
Every time when this plugin may renew certificate it fails! So every three months i have to try play with this plugin = it is completelly unusable i can do it manually.
I have getting this: Incorrect TXT record
What type of installation are you running?
Home Assistant Supervised
Which operating system are you running on?
Home Assistant Operating System
Which add-on are you reporting an issue with?
Duck DNS
What is the version of the add-on?
1.14.0
Steps to reproduce the issue
Setup plugin with alias -> worked, get certificate When renewal period occurs renewal failed
Anything in the Supervisor logs that might be useful for us?
No response
Anything in the add-on logs that might be useful for us?
Processing my-ha.duckdns.org with alternative names: my-ha.cooldomain.cz
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 2 authorizations URLs from the CA
+ Handling authorization for my-ha.duckdns.org
+ Handling authorization for my-ha.cooldomain.cz
+ 2 pending challenge(s)
+ Deploying challenge tokens...
OKOK + Responding to challenge for my-ha.duckdns.org authorization...
+ Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "dns-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "Incorrect TXT record \"1g4FgZoGt2y9WaBs_7TQL7v7jb7lUJz8xNrlixCEuLQ\" found at _acme-challenge.my-ha.duckdns.org"
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"1g4FgZoGt2y9WaBs_7TQL7v7jb7lUJz8xNrlixCEuLQ\" found at _acme-challenge.my-ha.duckdns.org","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/114079207846/9uci7g"
["token"] "mtVWXobHYyfKU8XgjdLUYj6ebiZNqZ89Dh2kYpfLS7g"
["validated"] "2022-05-30T05:50:26Z")
[07:55:30] INFO: OK
Additional information
I have tried remove aliasses completelly but i cant save configuration because error Failed to save add-on configuration, Invalid list for option ‘aliases’ in Duck DNS (core_duckdns). Got {‘domains’: [‘pnrqvy-ha.duckdns.org’], ‘token’: ‘0c79e13c-ecaa-478d-8da9-106e3cbb3239’, ‘aliases’: {}, ‘lets_encrypt’: {‘accept_terms’: True, ‘algo’: ‘secp384r1’, ‘certfile’: ‘fullchain2.pem’, ‘keyfile’: ‘privkey2.pem’}, ‘seconds’: 300}
I have tried uninstall plugin and configure it from scratch. No success.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 36 (1 by maintainers)
Can confirm that this is still an issue in 1.15.0…
Had to remove the alias, leaving an empty array ([]) and renew, then put the alias config back in. Both CNAME records are in place.
The relates PR seems to have been aproved one month algo. But still PR is open and not merged. What can be done to make that happen, or what’s the next step? Many thanks!
The issue here is
dehydratedthat is used for getting/renewing the certificates deploys the challenge tokens for all the domains and then performs the validation for each domain.This causes a problem with DuckDNS as it only has a single TXT record which will always be overwritten by the challenge for the last domain in the list.
You can see this sequence in the (slightly modified and annotated) output:
The behaviour is detailed in
dehydrated’s troubleshooting.md.The workaround detailed here is effectively doing what is detailed in this comment.
PR to fix this coming in a mo.
This appears to be an ongoing issue. Workaround is to remove alias, restart plugin to generate certificate, and then re-add alias.
see: https://github.com/home-assistant/addons/issues/1331#issuecomment-1146531005
Another confirmation that this rigmarole still occurs in 1.15.0
Confirming that this remains an issue with DuckDNS 1.15.0
It’s to the point now where I’m unable to use my OWN domain and am just using the DuckDNS domain to access my site.
I’m at a loss as to why this issue with the alias domain remains a problem after having been around and so thoroughly documented for SO LONG.
For those having problems with auto-renewal when using a custom alias, and having to do the manual workaround, I tihnk I found another hacky way to do it… see https://github.com/home-assistant/addons/issues/1331#issuecomment-1722300924
Definitely not stale and still an issue in 1.15.0. Certificate is failing every 3 months like clockwork because the dns-01 challenges don’t work correctly with aliases on the duckdns add-on for home assistant.
Please merge the fix.