addons: duckdns can't obtain cert after upgrade to 1.12.5

The problem

After upgrading addon to 1.12.5 version, it can’t obtain certificate

Environment

  • Add-on with the issue: DuckDNS
  • Add-on release with the issue:
  • Last working add-on release (if known):
  • Operating environment (OS/Supervised): Home Assistant 2021.2.3

Problem-relevant configuration

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: duckdns_token
domains:
  - myownmane.duckdns.org
aliases:
  - domain: owndomain.com
    alias: myownmane.duckdns.org
seconds: 300

Traceback/Error logs

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[15:27:13] INFO: OK
185.124.168.108
NOCHANGE
[15:27:15] INFO: Renew certificate for domains: myownmane.duckdns.org and aliases: 
owndomain.com
# INFO: Using main config file /data/workdir/config
Processing owndomain.com with alternative names: myownmane.duckdns.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for owndomain.com
 + Handling authorization for myownmane.duckdns.org
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OKOK + Responding to challenge for owndomain.com authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"_JSFK0dRBHcg1klisURl0aHdq1aCiZ_4imd8ZHupHhI\" found at _acme-challenge.owndomain.com",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/someints/somealphas",
  "token": "qNK-toen"
})

Additional information

CleanShot 2021-02-17 at 15 48 53@2x

All works great before upgrade

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 17
  • Comments: 95 (4 by maintainers)

Most upvoted comments

image

I changed the hook.sh to print some debug information, so I’m 100% sure.

  1. Deploy TXT for ALIAS .dev
  2. Deploy TXT for DOMAIN a.duckdns.org
  3. Checking TXT for DOMAIN a.duckdns.org, failed becase is ALIAS .dev TXT on that system.

It’s easy to change to acme.sh or getssl (removing dehydrated) and complete fix this issue.

+8
marcomsousa on Aug 19, 2021

Nope, still broken.

Same as before, removing the aliases and then adding them back temporarily resolves the issue (until the next renewal)

+6
Veldkornet on Sep 23, 2021

I am also hitting this issue. What is happening is that the addon is requesting challenges for both the alias(es) as well as the domain(s). The second challenge is overwriting the first challenge before the challenge validation is taking place, thus resulting in a failed validation.

As a temporary workaround

  1. Remove all the aliases from the config and let it just validate the Duckdns domains. This completes successfully.
  2. Put back the aliases into the config and let it re-validate all the domains. As the Duckdns domains are already validated, it will only deploy challenges to the Alias domains. This time it will complete successfully (if your alias domains point to different duckdns domains! In case more than one Alias point to the same Duckdns domain, you need to split step 2 into multiple steps and let it only validate one of the duplicate aliases at a time).

Edit: One downside of the current configuration design is that all the duckdns domains will be part of the certificate where previously I only had the domains in the Domain section as well as the Aliases on the certificate.

+6
Orgjvr on Mar 4, 2021

i can confirm the issue is still present as of today: dns-01 challenge fails if you have aliases configured right from the first start of the extension.

+5
fume on Feb 28, 2022

The issue still persists with DuckDNS 1.14.0

+5
pavelkryl on Dec 27, 2021

I found the root cause: The upgrade of the dependency dehydrated.

Since dehydrated 0.6.0, dehydrated change the domain validation strategy. Until that version, they was validation in sequential, and change to validate in parallel.

Now they, deploy all TXT for all the domains, and validate all the domains. This fails because when dehydrated starts to validate we only have the last TXT record in duckdns.org

dehydrated doesn’t allow to change to the old strategy: https://github.com/dehydrated-io/dehydrated/blob/master/docs/troubleshooting.md#dns-invalid-challenge-since-dehydrated-060--why-are-dns-challenges-deployed-first-and-verified-later

+5
marcomsousa on Aug 19, 2021

Still an issue.

+3
vanto on Aug 29, 2022

Still an issue

+2
Veldkornet on Aug 4, 2023

Still not solved

+2
p0wertiger on Apr 5, 2023

@rruizGit sure, but the configs isn’t rocket science. I’ll provide quick guide. Config details depends on DNS provider (Supported DNS providers).

Let’s Encrypt documentation. It is a bit lengthy due to many supported DNS providers. Worth reading.

  1. Have Duck DNS and Let's Encrypt plugin installed.
  2. Have only one DNS rule - CNAME <your-domain> -> <domain>.duckdns.org. Can be proxied on Cloudflare. You can safely delete any other created for DuckDNS.
  3. DuckDNS config
lets_encrypt:
  accept_terms: false
  certfile: fullchain.pem
  keyfile: privkey.pem
token: <SECRET>
domains:
  - <SECRET>.duckdns.org
aliases: []
seconds: 300
  1. Let's Encrypt config mostly depends on DNS provider. I use Cloudflare with DNS challange (it doesn’t require any open ports, but require Cloudflare API token with Zone.DNS permission).
email: <SECRET>
domains:
  - <SECRET>
certfile: fullchain.pem
keyfile: privkey.pem
challenge: dns
dns:
  provider: dns-cloudflare
  cloudflare_api_token: <SECRET>

Let's Encrypt will create temporary DNS entry for challenging while recreating certificate in this configuration.

As a bonus point, you should create some scheduled job for recreating certificate. Renew process is run only on Let's Encrypt plugin start. Example solution.

+2
sigo on May 25, 2021

3 years issue 😄

+1
kricha on Mar 23, 2024

Still an issue

+1
Veldkornet on Jul 30, 2022

Any other ideas?

Is it not also possible to install DuckDNS with:

lets encrypt: accept_terms: false

AND install the let’s encrypt add-in to handle the cert? I read somewhere that let’s encrypt add-in doesn’t have this same problem.

+1
GeekGoneOld on Apr 4, 2022

Now my certs expired and DuckDNS 1.14.0 didn’t renew because of the alias, once again… It has not worked a single time. Fix from @Veldkornet doesn’t work on 1.14.0. It fetches the cert after removing aliases but after adding the alias back and restarting the addon it doesn’t fetch due to “Skipping renew!”.

Update: Restarting home assistant resolved the issue. Even though /ssl/fullchain.pem and /ssl/privkey.pem was updated they were not applied until after restart. Old cert cached somewhere?

+1
enjikaka on Jan 19, 2022
Read more comments on GitHub
← addons: DuckDNS Alias domain fails dns-01 challenge
addons: Duckdns letsencrypt expired CA broke DoH →