Duck DNS addon do not renew certificate

[lordrak007]

Describe the issue you are experiencing

Every time when this plugin may renew certificate it fails! So every three months i have to try play with this plugin = it is completelly unusable i can do it manually.

I have getting this: Incorrect TXT record

What type of installation are you running?

Home Assistant Supervised

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Duck DNS

What is the version of the add-on?

1.14.0

Steps to reproduce the issue

Setup plugin with alias -> worked, get certificate
When renewal period occurs renewal failed

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

Processing my-ha.duckdns.org with alternative names: my-ha.cooldomain.cz
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for my-ha.duckdns.org
 + Handling authorization for my-ha.cooldomain.cz
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OKOK + Responding to challenge for my-ha.duckdns.org authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"dns-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:unauthorized"
["error","detail"]	"Incorrect TXT record \"1g4FgZoGt2y9WaBs_7TQL7v7jb7lUJz8xNrlixCEuLQ\" found at _acme-challenge.my-ha.duckdns.org"
["error","status"]	403
["error"]	{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"1g4FgZoGt2y9WaBs_7TQL7v7jb7lUJz8xNrlixCEuLQ\" found at _acme-challenge.my-ha.duckdns.org","status":403}
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/114079207846/9uci7g"
["token"]	"mtVWXobHYyfKU8XgjdLUYj6ebiZNqZ89Dh2kYpfLS7g"
["validated"]	"2022-05-30T05:50:26Z")
[07:55:30] INFO: OK

Additional information

I have tried remove aliasses completelly but i cant save configuration because error
Failed to save add-on configuration, Invalid list for option 'aliases' in Duck DNS (core_duckdns). Got {'domains': ['pnrqvy-ha.duckdns.org'], 'token': '0c79e13c-ecaa-478d-8da9-106e3cbb3239', 'aliases': {}, 'lets_encrypt': {'accept_terms': True, 'algo': 'secp384r1', 'certfile': 'fullchain2.pem', 'keyfile': 'privkey2.pem'}, 'seconds': 300}

I have tried uninstall plugin and configure it from scratch. No success.

[marcosamm]

I have the same problem with the 1.15.0 version.

[deanjarnold]

This appears to be an ongoing issue. Workaround is to remove alias, restart plugin to generate certificate, and then re-add alias.

see: #1331 (comment)

[mdegat01]

When removing aliases, don't just remove it try adding aliases: [] to the config and specifically set it to an empty array. That should fix that validation error.

Can you share your config where you are trying to set the aliases though? You did follow all the directions here right? Namely add a CNAME record to the domain you own or a subdomain of it to the duckdns domain you're using. And another CNAME record for the _acme-challenge subdomain of that.

[adrianoftyriel]

Can confirm that this is still an issue in 1.15.0..

Had to remove the alias, leaving an empty array ([]) and renew, then put the alias config back in. Both CNAME records are in place.

domains:
  - REDACTED.duckdns.org
token: REDACTED
aliases:
  - domain: homeassistant.REDACTED.ca
    alias: REDACTED.duckdns.org
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 301

[mattclar]

I have this issue also

[nebhale]

I can confirm that this is still ongoing.

[Rusti-gotrage]

Confirming that this remains an issue with DuckDNS 1.15.0

It's to the point now where I'm unable to use my OWN domain and am just using the DuckDNS domain to access my site.

I'm at a loss as to why this issue with the alias domain remains a problem after having been around and so thoroughly documented for SO LONG.

[lildude]

The issue here is dehydrated that is used for getting/renewing the certificates deploys the challenge tokens for all the domains and then performs the validation for each domain.

This causes a problem with DuckDNS as it only has a single TXT record which will always be overwritten by the challenge for the last domain in the list.

You can see this sequence in the (slightly modified and annotated) output:

Processing my-ha.duckdns.org with alternative names: my-ha.cooldomain.cz
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for my-ha.duckdns.org
 + Handling authorization for my-ha.cooldomain.cz
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OK     # ===> Challenge for my-ha.duckdns.org written to duckdns TXT
OK     # ===> Challenge for my-ha.cooldomain.cz written to duckdns TXT overwriting above
 + Responding to challenge for my-ha.duckdns.org authorization...  
       # ^==> Fails because TXT challenge is for my-ha.cooldomain.cz not my-ha.duckdns.org
 + Cleaning challenge tokens...
OK
OK 
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"dns-01"

The behaviour is detailed in dehydrated's troubleshooting.md.

The workaround detailed here is effectively doing what is detailed in this comment.

PR to fix this coming in a mo.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[lozzd]

not stale - PR waiting to be merged. which, it'd be awesome if it was

[thomasgeens]

Mentioned fix on Home Assistant community issue:
https://community.home-assistant.io/t/letsencrypt-in-duckdns-fails-with-incorrect-txt/205150/27

[diamant-x]

The relates PR seems to have been aproved one month algo. But still PR is open and not merged. What can be done to make that happen, or what's the next step? Many thanks!

[richardwonka]

Another confirmation that this rigmarole still occurs in 1.15.0

[christhementalist]

Why on earth is the fix not being merged (#2662 )!?

[mattclar]

Can confirm again that have to go through ridiculous dance every 90 days to renew my certificates, can we PLEASE merge the fix?! (#2662 )!?

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jonathanebetts]

Definitely not stale and still an issue in 1.15.0. Certificate is failing every 3 months like clockwork because the dns-01 challenges don't work correctly with aliases on the duckdns add-on for home assistant.

Please merge the fix.

[richardwonka]

Maybe not enough people have mentioned that there is a fix that just needs to be merged? Please merge the fix.

[hkusulja]

This is still the same version 1.15.0 and this same issue active.

So I use manual workaround every 3 months:

modify part of old options yaml:

1. change to:

domains:
  - MYDUCKXXX.duckdns.org
token: YYYY
aliases: []

restart to obtain certificate for duckdns domain.

then after revert back to original:

domains:
  - MYDUCKXXX.duckdns.org
token: YYYY
aliases:
  - domain: ha.MYDOMAINZZ.com
    alias: MYDUCKXXX.duckdns.org

then restart to get proper cert.

[jskvbinmv]

Thank you @hkusulja for the workaround.

I already forgot what I did to fix this 3 months ago.

[thomasgeens]

Thank you @hkusulja for the workaround.

I already forgot what I did to fix this 3 months ago.

Had the exact same issue and documented the complete setup and procedure at HA Community - Also mind the note in there to easily shift to a more modern and stable approach with more capabilities, being NGINX Proxy Manager.

[spanzetta]

This is still the same version 1.15.0 and this same issue active.

So I use manual workaround every 3 months:

modify part of old options yaml:

1. change to:

domains:
  - MYDUCKXXX.duckdns.org
token: YYYY
aliases: []

restart to obtain certificate for duckdns domain.

then after revert back to original:

domains:
  - MYDUCKXXX.duckdns.org
token: YYYY
aliases:
  - domain: ha.MYDOMAINZZ.com
    alias: MYDUCKXXX.duckdns.org

then restart to get proper cert.

Hi

My current yaml configuration is quite different ..

duckdns:
domain: mydomain.duckdns.org
access_token: xxxxx-xxxxx-xxxx-xxxx-xxxx

http:
ssl_certificate: /ssl/fullchain.pem.
ssl_key: /ssl/privkey.pem

What should I change to obtain the same result (renew the certificate after 3 month)??

Thanks

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[richardwonka]

Can anyone confirm that this is now working as expected?

If this hasn’t changed, the ticket needs to be open.

[spanzetta]

In my case the missing renew was due to a wrong configuration..
So for me it is working as expected..
Thanks

[jonathanebetts]

There hasn't been a version change yet so even any potential fixes would not have been merged in. Given that, it must still be a problem.

The issue only occurs every 3 months when the certs expire and DuckDNS attempts to renew them.

[diamant-x]

Please mind that the expected change that was discussed in the PR by developers was basically to officially drop support for multiples alias, or alias all together, so if your solution works through that it's better to start looking for a solution in some other way...

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[hkusulja]

The issue is still the same, it should be fixed by someone.
Every 3 months (when autossl expire) , this manual process needs to be done to successfully renew when using domain alias.
Hope someone has the solution and fix for this

[spanzetta]

In my case, it just expired today and it was automatically renewed.. I can now read again "expire in 3 month"
For me .. it works fine

[richardwonka]

In my case, it just expired today and it was automatically renewed.. I can now read again "expire in 3 month"
For me .. it works fine

What have you changed in your setup? mine failed again (sigh) just last night.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[prj]

Not stale. Addon is abandoned.

[joedj]

For those having problems with auto-renewal when using a custom alias, and having to do the manual workaround, I tihnk I found another hacky way to do it... see #1331 (comment)

[hkusulja]

Not stale. Addon is abandoned.
@prj
please confirm there is no owner of this add-on and what is proces to have a new owner on it? thank you

I hope, @joedj could be interested :)
And thank you one more time for workaround for auto-renewal when using a custom alias

[thomasgeens]

I would really advise abandoning this add-on, see https://community.home-assistant.io/t/letsencrypt-in-duckdns-fails-with-incorrect-txt/205150/25?u=thomas_geens