addons
addons copied to clipboard
home-assistant
Duck DNS addon do not renew certificate
Describe the issue you are experiencing
Every time when this plugin may renew certificate it fails! So every three months i have to try play with this plugin = it is completelly unusable i can do it manually.
I have getting this: Incorrect TXT record
What type of installation are you running?
Home Assistant Supervised
Which operating system are you running on?
Home Assistant Operating System
Which add-on are you reporting an issue with?
Duck DNS
What is the version of the add-on?
1.14.0
Steps to reproduce the issue
Setup plugin with alias -> worked, get certificate When renewal period occurs renewal failed
Anything in the Supervisor logs that might be useful for us?
No response
Anything in the add-on logs that might be useful for us?
Processing my-ha.duckdns.org with alternative names: my-ha.cooldomain.cz
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 2 authorizations URLs from the CA
+ Handling authorization for my-ha.duckdns.org
+ Handling authorization for my-ha.cooldomain.cz
+ 2 pending challenge(s)
+ Deploying challenge tokens...
OKOK + Responding to challenge for my-ha.duckdns.org authorization...
+ Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "dns-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "Incorrect TXT record \"1g4FgZoGt2y9WaBs_7TQL7v7jb7lUJz8xNrlixCEuLQ\" found at _acme-challenge.my-ha.duckdns.org"
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"1g4FgZoGt2y9WaBs_7TQL7v7jb7lUJz8xNrlixCEuLQ\" found at _acme-challenge.my-ha.duckdns.org","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/114079207846/9uci7g"
["token"] "mtVWXobHYyfKU8XgjdLUYj6ebiZNqZ89Dh2kYpfLS7g"
["validated"] "2022-05-30T05:50:26Z")
[07:55:30] INFO: OK
Additional information
I have tried remove aliasses completelly but i cant save configuration because error Failed to save add-on configuration, Invalid list for option 'aliases' in Duck DNS (core_duckdns). Got {'domains': ['pnrqvy-ha.duckdns.org'], 'token': '0c79e13c-ecaa-478d-8da9-106e3cbb3239', 'aliases': {}, 'lets_encrypt': {'accept_terms': True, 'algo': 'secp384r1', 'certfile': 'fullchain2.pem', 'keyfile': 'privkey2.pem'}, 'seconds': 300}
I have tried uninstall plugin and configure it from scratch. No success.
This appears to be an ongoing issue. Workaround is to remove alias, restart plugin to generate certificate, and then re-add alias.
see: https://github.com/home-assistant/addons/issues/1331#issuecomment-1146531005
When removing aliases, don't just remove it try adding aliases: [] to the config and specifically set it to an empty array. That should fix that validation error.
Can you share your config where you are trying to set the aliases though? You did follow all the directions here right? Namely add a CNAME record to the domain you own or a subdomain of it to the duckdns domain you're using. And another CNAME record for the _acme-challenge subdomain of that.
Can confirm that this is still an issue in 1.15.0..
Had to remove the alias, leaving an empty array ([]) and renew, then put the alias config back in. Both CNAME records are in place.
domains:
- REDACTED.duckdns.org
token: REDACTED
aliases:
- domain: homeassistant.REDACTED.ca
alias: REDACTED.duckdns.org
lets_encrypt:
accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem
seconds: 301
Confirming that this remains an issue with DuckDNS 1.15.0
It's to the point now where I'm unable to use my OWN domain and am just using the DuckDNS domain to access my site.
I'm at a loss as to why this issue with the alias domain remains a problem after having been around and so thoroughly documented for SO LONG.
The issue here is dehydrated that is used for getting/renewing the certificates deploys the challenge tokens for all the domains and then performs the validation for each domain.
This causes a problem with DuckDNS as it only has a single TXT record which will always be overwritten by the challenge for the last domain in the list.
You can see this sequence in the (slightly modified and annotated) output:
Processing my-ha.duckdns.org with alternative names: my-ha.cooldomain.cz
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 2 authorizations URLs from the CA
+ Handling authorization for my-ha.duckdns.org
+ Handling authorization for my-ha.cooldomain.cz
+ 2 pending challenge(s)
+ Deploying challenge tokens...
OK # ===> Challenge for my-ha.duckdns.org written to duckdns TXT
OK # ===> Challenge for my-ha.cooldomain.cz written to duckdns TXT overwriting above
+ Responding to challenge for my-ha.duckdns.org authorization...
# ^==> Fails because TXT challenge is for my-ha.cooldomain.cz not my-ha.duckdns.org
+ Cleaning challenge tokens...
OK
OK
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "dns-01"
The behaviour is detailed in dehydrated's troubleshooting.md.
The workaround detailed here is effectively doing what is detailed in this comment.
PR to fix this coming in a mo.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Mentioned fix on Home Assistant community issue: https://community.home-assistant.io/t/letsencrypt-in-duckdns-fails-with-incorrect-txt/205150/27
The relates PR seems to have been aproved one month algo. But still PR is open and not merged. What can be done to make that happen, or what's the next step? Many thanks!
Can confirm again that have to go through ridiculous dance every 90 days to renew my certificates, can we PLEASE merge the fix?! (https://github.com/home-assistant/addons/pull/2662 )!?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Definitely not stale and still an issue in 1.15.0. Certificate is failing every 3 months like clockwork because the dns-01 challenges don't work correctly with aliases on the duckdns add-on for home assistant.
Please merge the fix.
Maybe not enough people have mentioned that there is a fix that just needs to be merged?
Please merge the fix.
This is still the same version 1.15.0 and this same issue active.
So I use manual workaround every 3 months:
modify part of old options yaml:
- change to:
domains:
- MYDUCKXXX.duckdns.org
token: YYYY
aliases: []
restart to obtain certificate for duckdns domain.
then after revert back to original:
domains:
- MYDUCKXXX.duckdns.org
token: YYYY
aliases:
- domain: ha.MYDOMAINZZ.com
alias: MYDUCKXXX.duckdns.org
then restart to get proper cert.
Thank you @hkusulja for the workaround.
I already forgot what I did to fix this 3 months ago.
Thank you @hkusulja for the workaround.
I already forgot what I did to fix this 3 months ago.
Had the exact same issue and documented the complete setup and procedure at HA Community - Also mind the note in there to easily shift to a more modern and stable approach with more capabilities, being NGINX Proxy Manager.
This is still the same version 1.15.0 and this same issue active.
So I use manual workaround every 3 months:
modify part of old options yaml:
- change to:
domains: - MYDUCKXXX.duckdns.org token: YYYY aliases: []restart to obtain certificate for duckdns domain.
then after revert back to original:
domains: - MYDUCKXXX.duckdns.org token: YYYY aliases: - domain: ha.MYDOMAINZZ.com alias: MYDUCKXXX.duckdns.orgthen restart to get proper cert.
Hi
My current yaml configuration is quite different ..
duckdns: domain: mydomain.duckdns.org access_token: xxxxx-xxxxx-xxxx-xxxx-xxxx
http:
ssl_certificate: /ssl/fullchain.pem.
ssl_key: /ssl/privkey.pem
What should I change to obtain the same result (renew the certificate after 3 month)??
Thanks
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Can anyone confirm that this is now working as expected?
If this hasn’t changed, the ticket needs to be open.
In my case the missing renew was due to a wrong configuration.. So for me it is working as expected.. Thanks
There hasn't been a version change yet so even any potential fixes would not have been merged in. Given that, it must still be a problem.
The issue only occurs every 3 months when the certs expire and DuckDNS attempts to renew them.
Please mind that the expected change that was discussed in the PR by developers was basically to officially drop support for multiples alias, or alias all together, so if your solution works through that it's better to start looking for a solution in some other way...
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
The issue is still the same, it should be fixed by someone. Every 3 months (when autossl expire) , this manual process needs to be done to successfully renew when using domain alias. Hope someone has the solution and fix for this
In my case, it just expired today and it was automatically renewed.. I can now read again "expire in 3 month" For me .. it works fine