Duck DNS wildcard certificates

[ad84]

I apologise if i've submitted this incorrectly - I'm very new to this. My problem is with the duckDNS api when issuing wildcard certificates (ie eg1.duckdns.org eg1.duckdns.org on one certificate). The problem lies with duckdns not seeming to support multiple txt entries for domains. So one of the above DNS challenges fails because the TXT record is overwritten. If you issue a cert for eg1.duckdns.org and then within (what seems) a few hours issue one for eg1.duckdns.org eg1.duckdns.org it works because eg1 is already verified so only two challenges are requested. Im sure that this is an issue with duckDNS rather than acme.sh but I'm not if a work around can be done for this? Thanks in advance, hope this all makes sense.

[ally9696]

Use https://app.netlify.com/ only for verification domain--challenge-alias yourdomainverify.com --dns dns_yourprefereddns

Read more about in WIKI section on how to issue wildcard cert in dns alias api if you have issues with wildcard.

[ad84]

Thanks for the reply :) I've had a read... I'm sure some combination would work. A request for eg1.duckdns.org produces one challenge and works. A request for only .eg1.duckdns.org or for eg.duckdns.org & .eg1.duckdns.org produces two challenges and fails. Both of the challenges are to _acme-challenge.eg1.duckdns.org I'm sorry, I'm struggling to see how to do this?

[Nosen92]

I'm having the same problem.

I've done some light research, and apparently DuckDNS uses StartSSL which does not offer wildcard certificates for free, you have to pay a fee.

I'm considering switching SSL issuer.

[jakub-svoboda-ch]

i stumbled upon this very same problem with the opnsense plugin integrating acme.sh for let's encrypt support.

@Nosen92 i don't see why you are considering switching SSL-Issuer? let's encrypt is the issuer of the ssl/tls cert. everything with them is perfectly fine. duckdns is only the dynamic dns provider. if switching providers, try different DDNS provider, that allows multiple different TXT records, that could help.

@ad84 according to let's encrypt https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 and to duckdns https://www.duckdns.org/spec.jsp

these 2 services are not 100% compatible if you use wildcards or multiple subdomains. duckdns only supports one TXT record for all your sub-subdomains. let's encrypt will see only the last added auth-token in the dns, so acme.sh requests for multiple domains will fail.

eventually after a lot of playing around i managed the following: used --domain-alias domain.duckdns.org in the commandline to amke sure the TXT record gets set

requested cert for just the main "domain.duckdns.org" => worked out of the box added the wildcard "*.domain.duckdns.org" and requested again => worked, because the main domain was already validated?

so i have now my cert with both domainnames in it and it works for the nginx reverse proxy.

but, how to automate this update/renew ? remove the *.domain, request again for only the main-domain, add the wildcard again, request again?

this seems to be the exactly same problem: #2933

according to these lines in the duckdns api file, it should already handle that _acme-challenge thingy, but i had to use --domain-alias to make it work https://github.com/acmesh-official/acme.sh/blob/f2d350002e7c387fad9777a42cf9befe34996c35/dnsapi/dns_duckdns.sh#L94-L107

and this could/should fix it? #3061 is this already in main? will this come to main?

[ad84]

I found an easy work around for this at the time. I need one wildcard cert for .eg1.duckdns.org and .eg2.duckdbs.org. I issue a cert (which i don't install to nginx) for eg1.duckdns.org and eg2.duckdns.org, then immediately issue the cert that I need. That way eg2.duckdns.org and eg2.duckdns.org are already vefired. Acme.sh's Cron job runs them immediately after each other so renewals work fine too.