addons: DuckDNS Alias domain fails dns-01 challenge
When trying the new alias option in DuckDNS addon-on, the following gets generated (redacted is a placeholder name for a real domain I use, <SNIP> is personally identifiable data I have redacted):
# INFO: Using main config file /data/workdir/config
Processing redacted.duckdns.org with alternative names: home.redacted.net
+ Checking domain name(s) of existing cert... changed!
+ Domain name(s) are not matching!
+ Names in old certificate: redacted.duckdns.org
+ Configured names: redacted.duckdns.org home.redacted.net
+ Forcing renew.
+ Checking expire date of existing cert...
+ Valid till Aug 18 09:02:44 2020 GMT Certificate will not expire
(Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 2 authorizations URLs from the CA
+ Handling authorization for redacted.duckdns.org
+ Found valid authorization for redacted.duckdns.org
+ Handling authorization for home.redacted.net
+ 1 pending challenge(s)
+ Deploying challenge tokens...
OK + Responding to challenge for home.redacted.net authorization...
+ Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.redacted.net - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/<SNIP>/<SNIP>",
"token": "<SNIP>"
})
I have added the following CNAME record to my redacted.net domain:
home >> redacted.duckdns.org
The configuration I am using is as follows:
lets_encrypt:
accept_terms: true
certfile: fullchain.pem
keyfile: privkey.pem
token: <SNIP>
domains:
- redacted.duckdns.org
- home.redacted.net
aliases:
- domain: home.redacted.net
alias: redacted.duckdns.org
seconds: 300
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 13
- Comments: 57 (4 by maintainers)
Commits related to this issue
- Update DOCS.md Add instruction to make aliases work. Addressing the following issue https://github.com/home-assistant/hassio-addons/issues/1331 — committed to paalex/hassio-addons by paalex 4 years ago
- Update DOCS.md Add instruction to make aliases work. Addressing the following issue https://github.com/home-assistant/hassio-addons/issues/1331 — committed to paalex/hassio-addons by paalex 4 years ago
- š Fix problems with alias domains and dns-01 challenge (#1785) * š Fix problems with alias domains and dns-01 challenge And add some documentation to clarify a bit. Resolves #1331 * Fix li... — committed to home-assistant/addons by RyanMeulenkamp 3 years ago
- š Fix problems with alias domains and dns-01 challenge (#1785) * š Fix problems with alias domains and dns-01 challenge And add some documentation to clarify a bit. Resolves #1331 * Fix li... — committed to wernerhp/addons by RyanMeulenkamp 3 years ago
- š Fix problems with alias domains and dns-01 challenge (#1785) * š Fix problems with alias domains and dns-01 challenge And add some documentation to clarify a bit. Resolves #1331 * Fix li... — committed to liads/home-assistant-addons by RyanMeulenkamp 3 years ago
Quote by wgrziwa ā¬
You are definitely right! Your answer helped me a lot figuring out this issue. This seems to be a bug in the addon that should be fixed. After hours of fiddling around these following steps allowed me to set an alias for my duckdns.org domain:
Let us imagine the following:
You have a domain
example.duckdns.organd you have the domainexample.comand want to access your home assistant viahome.example.com.Short Guide
*.homeandhomepointing toexample.duckdns.orghttpsection to yourconfigurations.yamland set your alias domain as yourbase_urlDetailled Guide
Log output should be:
Log output should be:
configurations.yamlfile:These steps will definitely work with everybody!
Have fun š
P.S.: Donāt forget forwarding your local port 8123 to 443 in your router š
Source: https://gist.github.com/mansouryaacoubi/6774911fe2ffa60fac7738913aae34e2
I found a hacky work-around for this issue:
xxx.duckdns.org: This is the domain that will be used for the dns-01 challenge on your DuckDNS hostname. ItsArecord will point to your home IP.xxx-alias.duckdns.org: This is the domain that will be used for the dns-01 challenge on your custom alias. ItsArecord does not matter - you can manually set it to something like127.0.0.1CNAMErecord for accessing HomeAssistant, e.g.:home.yourdomain.com CNAME xxx.duckdns.orgCNAMErecord for the ACME challengeTXTrecord, e.g.:_acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.orghome.yourdomain.comandxxx.duckdns.org, and which will successfully auto-renew.If youāre curious why this works, itās because we are able to trick the add-on into using two independent
TXTrecords for the two ACME challenges, rather than fighting over a single record: a) This code only processesaliasesconfig that has a matching entry in thedomainslist. That is why we need the first entry in thealiaseslist, it serves no other purpose. b) This code is what actually maps your custom alias to a DuckDNS domain name, when updating theTXTrecord for the ACME challenge. It picks whatever the last matching entry is, so it mapshome.yourdomain.com -> xxx-alias.duckdns.org, and updates thatTXTrecord. This matches our earlier DNS configuration for_acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org.Hopefully this workaround doesnāt get broken until we have another viable solution.
A cleaner solution might be to clear our the
TXTrecords inhook.sh#startup_hook, and then append to them inhook.sh#deploy_challengerather than overwriting them. If the maintainers are interested, I could have a go at preparing a PR, but there doesnāt seem to be much interest in fixing thisā¦I was struggling with this for a while on my home assistant instance which has been left offline for months.
mansouryaacoubiās guide helped me. I already had everything working before, but kept getting the āinvalid TXTā error. Replacing aliases with [], restarting, letting it generate the cert, and then adding my aliases back solved it. I think this is still a bug in DuckDNS. It should not have been necessary to remove and re-add aliases
I had the same problem and solved it by creating a CNAME entry not just for the subdomain I want to use ha.mydomain.com but also for *.ha.mydomain.com
I donāt know much about the inner workings of the letās encrypt authentication but I assume a nameserver needs to be temporarily created that responds with the TXT entry for the challenge at a subdomain to the domain you want to useā¦ Does this make sense?
Maybe the instructions could be updated to reflect that?
Iāve tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason).
See below for the config + DNS records that worked for me:
Still an issue in Current version: 1.15.0. Any chance this issue ticket can be reopened to bring attention back?
This is exactly what is missing from the documentation. Having two CNAME records is what is required to get the alias DNS challenge to work:
Thank you. Great find.
This issue needs to be reopened for a proper fix. By closing it we are accepting this solution which indeed works however is not an acceptable long term solution.
This remains an issue with DuckDNS 1.15.0
Itās to the point now where Iām unable to use my OWN domain and am just using the DuckDNS domain to access my site.
Iām at a loss as to why this issue with the alias domain remains a problem after having been around and so thoroughly documented for SO LONG.
I originally suggested that the additional wildcard DNS entry for my alias domain solved the issue for me. Now after my certificate expired I have to report that it didnāt fix the issue but I have a workaround.
I believe the reason for the failure is that both - the duckdns AND the alias domain - point to the same IP address and there are two challenges to be fulfilled by letsencrypt the txt record of one of the challenges will be incorrect.
My workaround is a two step process which unfortunately wonāt allow the automatic renewal when using the alias:
Not sure who maintains the plugin but a possible software fix could be: If multiple challenges are required setup one TXT record for the first challenge and after successful validation do the same for the second challenge.
I hope this can help someone else in a similar situation.
Just happened here on 2 HA servers running 1.15.0 of the DuckDNS Plugin.
Had to remove my alias, restart the plugin, and then re-add the alias.
Thanks, but when I try removing mydomain.duckdns.org it no longer works over SSL. I canāt find any way to have both domains supported.
I tried that many times, but the issue remains.
@sigo 's configuration worked after I changed it to this:
At least the challenge part that is.
Edit: now I canāt update duckdns anymore. Whenever I add my own domain to the
domainssection, it fails to update. My guess is that it tries to update the IP for my own domain as well, while it isnāt a known one for duckdns. Also, on my own domain I still get certificate errors.Iāve experimented for few hours and I can confirm few things.
<name>.duckdns.orgentry fromdomains. It cause not updating IP address. So duckdns functionality changes from DynamicDNS (DDNS) to standard DNS.Back to the issue: you need redirect Lets Encrypt to duckdns when challenging your domain.
You can read on https://letsencrypt.org/docs/challenge-types/#dns-01-challenge:
So you can create CNAME wildcard or just simply create CNAME for
_acme-challengesubdomain. So finally, addon config can looks this:And your DNS:
And this is sufficient.
Keep in mind: if your DNS provider support any proxying (like cloudflare) you must keep it disabled for
_acme-challengesubdomain. It can be enabled only for domain.Hope this helps and saves you some time.
While I find this workaround works initially, it has the unintended effect of the addon no longer updating the IP address of the duckdns subdomain. So there is no fully working workaround purely within home assistant. To fully get around this you will need some other device to update your IP address in duckdns like your router (I use pfsense). What I really wish is that the letās encrypt addon sans duckdns was more robust (I.E. included other services, Godaddy please) and then I wouldnāt need to use duckdns at all.
@thomashogema
As I mentioned above, if you leave the duckdns domain out of the ādomains:ā part of the config, the renewal will be successful.
So if you want to use your own domain and dont really care about accessing the duckdns domain itself, this is a good workaround.
After removing āduckdnsā from domains it worked for me too! Thanks š
@houbie & @mfncl99 The issue is the second duckdns domain. Simply leaving it out will result in a successful challenge. I agree that the duckdns addon seemingly sets the wrong txt record for the domain it is currently trying to validate. (i.e. for domain A while trying to validate domain B)
This worked for me: