DuckDNS Alias domain fails dns-01 challenge

[AieatAssam]

When trying the new alias option in DuckDNS addon-on, the following gets generated (redacted is a placeholder name for a real domain I use, is personally identifiable data I have redacted):

# INFO: Using main config file /data/workdir/config
Processing redacted.duckdns.org with alternative names: home.redacted.net
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: redacted.duckdns.org
 + Configured names: redacted.duckdns.org home.redacted.net
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Aug 18 09:02:44 2020 GMT Certificate will not expire
(Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for redacted.duckdns.org
 + Found valid authorization for redacted.duckdns.org
 + Handling authorization for home.redacted.net
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for home.redacted.net authorization...
 + Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.redacted.net - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/<SNIP>/<SNIP>",
  "token": "<SNIP>"
})

I have added the following CNAME record to my redacted.net domain:

home >> redacted.duckdns.org

The configuration I am using is as follows:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: <SNIP>
domains:
  - redacted.duckdns.org
  - home.redacted.net
aliases:
  - domain: home.redacted.net
    alias: redacted.duckdns.org
seconds: 300

[johanson]

Mines failing as well without using aliases.

[nathang21]

Same here, alias not working at all, and the config (which shows as valid) seems to be causing the addon to be unstable as well.

The logs usually are empty, but occasionally it will show KO (backwards OK), or the failed challenge error on my custom domain.

Edit: Looks like my error is a little different, seeing 403 response.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[10:17:00] INFO: KO
# INFO: Using main config file /data/workdir/config
Processing <REDACTED-DOMAIN>.duckdns.org with alternative names: <REDACTED-DOMAIN>
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: <REDACTED-DOMAIN>.duckdns.org
 + Configured names: <REDACTED-DOMAIN> <REDACTED-DOMAIN>.duckdns.org
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Aug 10 14:45:43 2020 GMT Certificate will not expire
(Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for <REDACTED-DOMAIN>
 + Found valid authorization for <REDACTED-DOMAIN>.duckdns.org
 + Handling authorization for <REDACTED-DOMAIN>
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for <REDACTED-DOMAIN> authorization...
 + Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "No TXT record found at _acme-challenge.<REDACTED-DOMAIN>",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4913094965/hNe9aw",
  "token": "<REDACTED-TOKEN>"
})

[houbie]

Had the same issue and found out what's going wrong: the duckdns addon always uses a dns-01 challenge when requesting a certificate. This only works when your provider supports an API for automated creation of DNS records, hence the error. My workaround is to use the duckdns addon only for IP address resolution and use the lestencrypt addon for the certificates (this addon supports both dns-01 and http-01).

This requires that you configure your router to forward port 80 to your home-assistant IP port 80 (this port will only be open during certificate renewall)

I also changed the certfile and keyfile in the duckdns config to prevent them overwriting the letsencrypt certificates.

The estencrypt addon has one drawback: it does not automatically renew certificates, so you will need to start it every few months.

[wgrziwa]

I had the same problem and solved it by creating a CNAME entry not just for the subdomain I want to use ha.mydomain.com but also for *.ha.mydomain.com

I don't know much about the inner workings of the let's encrypt authentication but I assume a nameserver needs to be temporarily created that responds with the TXT entry for the challenge at a subdomain to the domain you want to use... Does this make sense?

Maybe the instructions could be updated to reflect that?

[AieatAssam]

I had the same problem and solved it by creating a CNAME entry not just for the subdomain I want to use ha.mydomain.com but also for *.ha.mydomain.com

I don't know much about the inner workings of the let's encrypt authentication but I assume a nameserver needs to be temporarily created that responds with the TXT entry for the challenge at a subdomain to the domain you want to use... Does this make sense?

Maybe the instructions could be updated to reflect that?

This is exactly what is missing from the documentation. Having two CNAME records is what is required to get the alias DNS challenge to work:

1. something ==> something.duckdns.org
2. *.something ==> something.duckdns.org

Thank you. Great find.

[mfncl99]

I suspect there may still be an issue here - the workaround of adding the second CNAME didn't work for me. Instead, adding the second record changed the error from:

"detail": "No TXT record found at _acme-challenge.ha<REDACTED>.com",

to:

"detail": "Incorrect TXT record \"YwtxSXpjvTRJZgyLyFOWf5qTAQpFgcf-ufqFIqAAumw\" found at _acme-challenge.ha.<REDACTED>.com",

The strange part is that the TXT record in the error changes each time I retry the challenge operation (I am uninstalling the duckdns hass.io addon with each retry to make sure old files are not used) - suggesting the TXT record is being successfully set on the domains DNS.

Could the script somehow be attempting to verify the wrong token from the wrong domain?

Below is my config, and the full log flow.

Applicable domain DNS records:

*.ha 3600 IN CNAME <REDACTED>.duckdns.org.
ha 1800 IN CNAME <REDACTED>.duckdns.org.

Addon config:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: <REDACTED>
domains:
  - <REDACTED>.duckdns.org
  - ha.<REDACTED>.com
aliases:
  - domain: ha.<REDACTED>.com
    alias: <REDACTED>.duckdns.org
seconds: 300

Logs:

[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
+ Done!
[09:15:52] INFO: KO
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing markfulton.duckdns.org with alternative names: ha.<REDACTED>.com
 + Creating new directory /data/letsencrypt/<REDACTED>.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for ha.<REDACTED>.com
 + Handling authorization for <REDACTED>.duckdns.org
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OKOK + Responding to challenge for ha.<REDACTED>.com authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"YwtxSXpjvTRJZgyLyFOWf5qTAQpFgcf-ufqFIqAAumw\" found at _acme-challenge.ha.<REDACTED>.com",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5188805052/oPNEcQ",
  "token": "<REDACTED>"
})

[houbie]

It did work once for me, but afterwards I also got the Incorrect TXT record error So I had to switch back to the he lestencrypt addon :(

[paalex]

What worked for me is having these two CNAME records: ha.my-own-domain.com -> my-duck-domain.duckdns.org _acme-challenge.ha.my-own-domain.com -> _acme-challenge.my-duck-domain.duckdns.org

[thomashogema]

Update: Nathang21's approach below is working

Thanks for the update!

Adding exactly these entries still gives me a 400 error. Tried twice with different domains.

Config:

domains:
  - myname.duckdns.org
  - ha.mydomain.tk
aliases:
  - domain: ha.mydomain.tk
    alias: myname.duckdns.org

Log:

ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ha.<REDACTED>.tk - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5751496123/abcd",
  "token": "<REDACTED>"
})

[nathang21]

I've tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason).

See below for the config + DNS records that worked for me:

domains:  
  - myname.duckdns.org 
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

[FordMustang0288]

I've tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason).

See below for the config + DNS records that worked for me:

domains:  
  - myname.duckdns.org 
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

I was unable to save off a CNAME of both *.home and home as I get a conflict error. I'm using Google Domains.

1) Is it safe to say that your first CNAME is _acme-challenge.home.duckdns.org? 2) How does the port number come into play with either your duckdns and/or domain setup? If I leave it out as you have done, I just get directed to my public IP and not necessarily to HA.

I also seem to have the challenge error still in my duck dns log.

[nathang21]

I've tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason). See below for the config + DNS records that worked for me:

domains:  
  - myname.duckdns.org 
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

I was unable to save off a CNAME of both *.home and home as I get a conflict error. I'm using Google Domains.

1. Is it safe to say that your first CNAME is _acme-challenge.home.duckdns.org?
2. How does the port number come into play with either your duckdns and/or domain setup? If I leave it out as you have done, I just get directed to my public IP and not necessarily to HA.

I also seem to have the challenge error still in my duck dns log.

I just added the * (wildcard) to ensure I could validate all the domains needed by LetsEncrypt. I don't think it's actually needed, but someone above suggested it. Home is just my preferred subdomain, so you can use that (or swap for your own), as long as the _acme-challenge is a subdomain of the subdomain you choose.

1. What do you mean by "first" CNAME? The order shouldn't matter, I can sort them alphabetically or via other means.
2. Port numbers are not relevant for DNS records. The domain name just points to an IP address (or another domain which points to an IP address eventually). Your browser will use port 80 (or 443 for https) by default, unless you specify another port in your URI. However, you will likely need to port forward port 80 or 443 --> to 8123 (default homeassistant port) for TCP to the IP address of your homeassistant device on your home router. If you don't want that IP address to change randomly when the device reboots, you also want to set a static IP address (via a DHCP IP reservation). Most routers should have these settings, I have mine configured via my Google WiFi app. The regular docs should have instructions for this, as this isn't really specific to duckdns.

[brent0np]

I've tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason).

See below for the config + DNS records that worked for me:

domains:  
  - myname.duckdns.org 
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

I tried this solution and it hasn't worked for me. I updated my DNS to the following (using cloudflare): CNAME _acme-challenge.ha.mydomain.com -> _acme-challenge.xxx.duckdns.org CNAME *.ha.mydomain.com -> xxx.duckdns.org CNAME ha.mydomain.com -> xxx.duckdns.org

I am still getting the 403 error (invalid token)

[kroshilin]

Actually, CNAME *.mydomain.com -> mydomain.duckdns.org is enough. No need to create _acme-challenge.
In addition to replies above, try to remove mydomain.duckdns.org from domains array:

domains:
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

[brent0np]

Actually, CNAME *.mydomain.com -> mydomain.duckdns.org is enough. No need to create _acme-challenge. In addition to replies above, try to remove mydomain.duckdns.org from domains array:

domains:
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

Thanks, but when I try removing mydomain.duckdns.org it no longer works over SSL. I can't find any way to have both domains supported.

[ludeeus]

For that to work you need to configure a CNAME with your DNS provider

[brent0np]

For that to work you need to configure a CNAME with your DNS provider

I have cname's configured for my purchased domain as specified above. Do you think I am missing something else? To clarify, i want both home.mydomain.com and myname.duckdns.org to work both using letsencrypt SSL certs.

[ludeeus]

What logs does the addon output?

[p-rintz]

It did work once for me, but afterwards I also got the Incorrect TXT record error So I had to switch back to the he lestencrypt addon :(

@houbie & @mfncl99 The issue is the second duckdns domain. Simply leaving it out will result in a successful challenge. I agree that the duckdns addon seemingly sets the wrong txt record for the domain it is currently trying to validate. (i.e. for domain A while trying to validate domain B)

This worked for me:

domains:
  - ha.<REDACTED>.com
aliases:
  - domain: ha.<REDACTED>.com
    alias: <REDACTED>.duckdns.org

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[wgrziwa]

I originally suggested that the additional wildcard DNS entry for my alias domain solved the issue for me. Now after my certificate expired I have to report that it didn't fix the issue but I have a workaround.

I believe the reason for the failure is that both - the duckdns AND the alias domain - point to the same IP address and there are two challenges to be fulfilled by letsencrypt the txt record of one of the challenges will be incorrect.

My workaround is a two step process which unfortunately won't allow the automatic renewal when using the alias:

1. Remove the alias domain and just create the certificate for the duckdns domain. After a restart the challenge was successfully validated.
2. Add the alias domain and restart again. This only validated the alias domain and worked without a problem. This just confirmed the SSL certificate but I also needed to restart the server to activate the new certificate as someone previously mentioned.

Not sure who maintains the plugin but a possible software fix could be: If multiple challenges are required setup one TXT record for the first challenge and after successful validation do the same for the second challenge.

I hope this can help someone else in a similar situation.

[urukalo]

Actually, CNAME *.mydomain.com -> mydomain.duckdns.org is enough. No need to create _acme-challenge. In addition to replies above, try to remove mydomain.duckdns.org from domains array:

domains:
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

Thanks, but when I try removing mydomain.duckdns.org it no longer works over SSL. I can't find any way to have both domains supported.

It did work once for me, but afterwards I also got the Incorrect TXT record error So I had to switch back to the he lestencrypt addon :(

@houbie & @mfncl99 The issue is the second duckdns domain. Simply leaving it out will result in a successful challenge. I agree that the duckdns addon seemingly sets the wrong txt record for the domain it is currently trying to validate. (i.e. for domain A while trying to validate domain B)

This worked for me:

domains:
  - ha.<REDACTED>.com
aliases:
  - domain: ha.<REDACTED>.com
    alias: <REDACTED>.duckdns.org

After removing 'duckdns' from domains it worked for me too! Thanks 👍

[tduffy83]

Try _acme-challenge.xxx ---> _acme-challenge.xxx.duckdns.org

That and removing the duckdns domain from the domains field seems to have worked for me. I really wish the devs had not depcrecated the lets encrypt addon in favor of the duckdns addon. I think they should have continued to develop the let's encrypt addon and added useful features like more DNS providers (Godaddy please) and also auto updating of close to expiry certs, heck even a UI ala pfsense acme certificates would be sweet. Instead they dropped Let's Encrypt for DuckDNS and now we have this wonky work around for people that want to use their own domains. I'm fine with the DuckDNS addon, I just think all it should do is provide dynamic dns and leave the certs to let's encrypt. Oh well guess I can't complain too much as I'm not a dev and don't have the time to learn how to do it myself. At least it's working for the most part, here's hoping in 90 days the cert gets updated.

[thomashogema]

Although my experiences still seem quite inconsistent, I now have two installs where I got both my alias and DuckDNS domain working:

1. Let DuckDNS request a certificate for the alias like suggested above (both the wildcard CNAME redirect and only include alias in the domain list).
2. After the challenge has completed, add mydomain.duckdns.org to the domains and restart the addon. Now it resolves flawlessly

[thomashogema]

Hi everyone! Back at it 😄 Renewal of my domain after the setup described above has failed.

This config:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: <redacted>
domains:
  - <mydomain>.com
  - <mydomain>.duckdns.org
aliases:
  - domain: <mydomain>.com
    alias: <mydomain>.duckdns.org
seconds: 300

Results in the following error:

+ Received 2 authorizations URLs from the CA
 + Handling authorization for <mydomain>.com
 + Handling authorization for <mydomain>.duckdns.org
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OKOK + Responding to challenge for <mydomain>.com authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"<redacted>\" found at _acme-challenge.<mydomain>.com",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/<redacted>",
  "token": "<redacted>"
})

@wgrziwa has pointed towards a possible cause of the problem. It seems that only one challenge can be completed at the same time. I noticed that @noamokman and @pvizeli added alias functionality to DuckDNS. If they could have another look at the implementation that would be great!

[p-rintz]

@thomashogema

As I mentioned above, if you leave the duckdns domain out of the "domains:" part of the config, the renewal will be successful.

So if you want to use your own domain and dont really care about accessing the duckdns domain itself, this is a good workaround.

[tduffy83]

@thomashogema

As I mentioned above, if you leave the duckdns domain out of the "domains:" part of the config, the renewal will be successful.

So if you want to use your own domain and dont really care about accessing the duckdns domain itself, this is a good workaround.

While I find this workaround works initially, it has the unintended effect of the addon no longer updating the IP address of the duckdns subdomain. So there is no fully working workaround purely within home assistant. To fully get around this you will need some other device to update your IP address in duckdns like your router (I use pfsense). What I really wish is that the let's encrypt addon sans duckdns was more robust (I.E. included other services, Godaddy please) and then I wouldn't need to use duckdns at all.

[sigo]

I've experimented for few hours and I can confirm few things.

1. You shouldn't remove <name>.duckdns.org entry from domains. It cause not updating IP address. So duckdns functionality changes from DynamicDNS (DDNS) to standard DNS.
2. Creating any TXT entry in your own domain DNS doesn't help. You do not have token for Lets Encrypt ACME DNS-01 challange. This token is keept in duckdns DNS.
3. Domains order matter in config file. The first one will be main, second one will be additional (alternative main). You can check this details in generated certificate or in duckdns addon log:

Processing <first-domain> with alternative names: <second-domain>

Back to the issue: you need redirect Lets Encrypt to duckdns when challenging your domain.

You can read on https://letsencrypt.org/docs/challenge-types/#dns-01-challenge:

Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server.

So you can create CNAME wildcard or just simply create CNAME for _acme-challenge subdomain. So finally, addon config can looks this:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: <duck-dns-token>
domains:
  - <own-domain>
  - <domain>.duckdns.org
aliases:
  - domain: <own-domain>
    alias: <domain>.duckdns.org
seconds: 300

And your DNS:

CNAME    _acme-challenge.<own-domain>    <domain>.duckdns.org
CNAME    <own-domain>    <domain>.duckdns.org

And this is sufficient.

Keep in mind: if your DNS provider support any proxying (like cloudflare) you must keep it disabled for _acme-challenge subdomain. It can be enabled only for domain.

Hope this helps and saves you some time.

[kitkat270]

I’ve spent so long on and off over the last couple of years trying to get this sorted, and finally I’ve got it working - no more annoying browser warnings.

thanks to @wgrziwa and @sigo.

Seems to be quite a few people with same probs, perhaps this is worth mentioning in the docs???

[houbie]

I gave it a new try (as described by @sigo), but it fails with "Incorrect TXT record \"xxxx\" found at _acme-challenge.xxx.duckdns.org" Notice that the invalid text record is on _acme-challenge.xxx.duckdns.org and not on my own domain

Update: I removed the TXT record as described in the Duck DNS HTTP API Specification, and now it complains about an invalid TXT record on my own domain. After yet another retry it complains again about TXT record on the Duck DNS domain

[sigo]

I gave it a new try (as described by @sigo), but it fails with "Incorrect TXT record \"xxxx\" found at _acme-challenge.xxx.duckdns.org" Notice that the invalid text record is on _acme-challenge.xxx.duckdns.org and not on my own domain

Update: I removed the TXT record as described in the Duck DNS HTTP API Specification, and now it complains about an invalid TXT record on my own domain. After yet another retry it complains again about TXT record on the Duck DNS domain

@houbie Okay. I've done complete fresh start with new subdomain. I ran into the same problem that you mention. Got angry and go to sleep. But! After the night (few hours) I just restart home assistant and DuckDNS addon just done whole process correct.

I think, that DNS changes need some time to propagate.

Can you try once again with some waiting time? I'm pretty sure, that this way really works. Everything is done with documentation.

Btw. Make sure, that you have not any old DNS entries or config.

[houbie]

I tripple checked the config and DNS entries, but it still falls over the TXT record :(

[RyanMeulenkamp]

@sigo 's configuration worked after I changed it to this:

CNAME _acme-challenge.<own-domain>    _acme-challenge.<domain>.duckdns.org
CNAME                 <own-domain>                    <domain>.duckdns.org

At least the challenge part that is.

Edit: now I can't update duckdns anymore. Whenever I add my own domain to the domains section, it fails to update. My guess is that it tries to update the IP for my own domain as well, while it isn't a known one for duckdns. Also, on my own domain I still get certificate errors.

[edwinyoo44]

My config:

domains:  
  - myname.duckdns.org 
  - ha.mydomain.com 
aliases:  
  - domain: ha.mydomain.com
    alias: myname.duckdns.org

Cloufflare DNS:

CNAME    _acme-challenge.ha    myname.duckdns.org
CNAME    ha    myname.duckdns.org

I tried many times but failed, but after deleting the DNS record and resetting DNS record , it succeeded

You can try it

[mansouryaacoubi]

Quote by wgrziwa ⬆

I originally suggested that the additional wildcard DNS entry for my alias domain solved the issue for me. Now after my certificate expired I have to report that it didn't fix the issue but I have a workaround.

I believe the reason for the failure is that both - the duckdns AND the alias domain - point to the same IP address and there are two challenges to be fulfilled by letsencrypt the txt record of one of the challenges will be incorrect.

My workaround is a two step process which unfortunately won't allow the automatic renewal when using the alias:

1. Remove the alias domain and just create the certificate for the duckdns domain. After a restart the challenge was successfully validated.

2. Add the alias domain and restart again. This only validated the alias domain and worked without a problem.
   This just confirmed the SSL certificate but I also needed to restart the server to activate the new certificate as someone previously mentioned.

Not sure who maintains the plugin but a possible software fix could be: If multiple challenges are required setup one TXT record for the first challenge and after successful validation do the same for the second challenge.

I hope this can help someone else in a similar situation.

You are definitely right! Your answer helped me a lot figuring out this issue. This seems to be a bug in the addon that should be fixed. After hours of fiddling around these following steps allowed me to set an alias for my duckdns.org domain:

Let us imagine the following:

You have a domain example.duckdns.org and you have the domain example.com and want to access your home assistant via home.example.com.

Short Guide

1. Set CNAME records for your domain: *.home and home pointing to example.duckdns.org
2. Install or Reinstall the DuckDNS Addon on your home assistant instance.
3. Set your addon config and leave out your alias for this step
4. Start the duckdns addon and watch the log for completion of certificate creation
5. Now add the alias to your config
6. Restart addon and watch the log for completion of certificate creation
7. Add http section to your configurations.yaml and set your alias domain as your base_url
8. Restart your home assistant

Detailled Guide

1. Set CNAME records for your domain

CNAME     *.home      example.duckdns.org
CNAME       home      example.duckdns.org

2. Install or Reinstall the DuckDNS Addon on your home assistant instance.
3. Set the following configuration in your addon configuration:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: take-the-token-from-your-duckdns-account
domains:
  - example.duckdns.org
aliases: []
seconds: 300

4. Start your addon and let your addon create your keypairs (you can follow the process in the Logs tab)

Log output should be:

INFO: Renew certificate for domains: example.duckdns.org and aliases: 
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing example.duckdns.org
 + Creating new directory /data/letsencrypt/example.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for example.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for example.duckdns.org authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

5. Now after certificates has been created change your addon configuration to the following:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: take-the-token-from-your-duckdns-account
domains:
  - example.duckdns.org
aliases:
  - domain: home.example.com
    alias: example.duckdns.org
seconds: 300

6. Restart your addon and follow process in the Log-tab

Log output should be:

INFO: Renew certificate for domains: example.duckdns.org and aliases: 
home.example.com
# INFO: Using main config file /data/workdir/config
Processing home.example.com with alternative names: example.duckdns.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for example.duckdns.org
 + Found valid authorization for example.duckdns.org
 + Handling authorization for home.example.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for home.example.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

7. Add the following to your configurations.yaml file:

http:
  server_port: 8123
  base_url: home.example.com
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

8. Restart your home assistant

These steps will definitely work with everybody!

Have fun :D

P.S.: Don't forget forwarding your local port 8123 to 443 in your router 👍

Source: https://gist.github.com/mansouryaacoubi/6774911fe2ffa60fac7738913aae34e2

[vsaarinen]

In case anyone's running into a similar issue, my problem was that I had set up the following CNAME record for my domain which (I believe?) was required before but now broke challenges:

CNAME     _acme-challenge.home      _acme-challenge.example.duckdns.org

Removing this record so that I only had the following fixed certificate renewals:

CNAME     *.home      example.duckdns.org
CNAME       home      example.duckdns.org

[Xebozone]

I was struggling with this for a while on my home assistant instance which has been left offline for months.

mansouryaacoubi's guide helped me. I already had everything working before, but kept getting the "invalid TXT" error. Replacing aliases with [], restarting, letting it generate the cert, and then adding my aliases back solved it. I think this is still a bug in DuckDNS. It should not have been necessary to remove and re-add aliases

[MaikaiLife]

This just happened to me also, had to remove the Aliases and restart duck dns.

[harisma-git]

Same here. invalid TXT error. The workaround is working but i have to do it manually. Any chances to fix this?

[deanjarnold]

Just happened here on 2 HA servers running 1.15.0 of the DuckDNS Plugin.

Had to remove my alias, restart the plugin, and then re-add the alias.

[diamant-x]

Still an issue in Current version: 1.15.0. Any chance this issue ticket can be reopened to bring attention back?

 + Received 2 authorizations URLs from the CA
 + Handling authorization for mydomain.duckdns.org
 + Handling authorization for myalias.domain.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OKOK + Responding to challenge for mydomain.duckdns.org authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]  "dns-01"
["status"]  "invalid"
["error","type"]    "urn:ietf:params:acme:error:unauthorized"
["error","detail"]  "Incorrect TXT record \"ABC123REDACTED321CBA\" found at _acme-challenge.mydomain.duckdns.org"
["error","status"]  403
["error"]   {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"ABC123REDACTED321CBA\" found at _acme-challenge.mydomain.duckdns.org","status":403}

[hkusulja]

I am using 1.15.0 and still the same issue. removing aliases, rerun, and readding again helped Please reopen to fully fix, thank you

[Xebozone]

Can confirm still an issue

[rpruden]

Can confirm that this is still an issue as well. I just followed wgrziwa’s instructions and it worked like a charm.

It seems like a relatively simple fix. Just need to do what he said and authorize and validate one dns entry at a time.

I have add on set to auto update so hopefully in 3 months I won’t see the issue if an update gets pushed.

[Rusti-gotrage]

This remains an issue with DuckDNS 1.15.0

It's to the point now where I'm unable to use my OWN domain and am just using the DuckDNS domain to access my site.

I'm at a loss as to why this issue with the alias domain remains a problem after having been around and so thoroughly documented for SO LONG.

[sushant-here]

This issue needs to be reopened for a proper fix. By closing it we are accepting this solution which indeed works however is not an acceptable long term solution.

[Nerada]

Still have the same issue with version 1.15.0, tried all workarounds.

[rokam]

I do have a workaround for this issue:

1. Remove all alias configs
2. Restart the addon
3. Add the alias config back
4. Restart the addon again

[Nerada]

I do have a workaround for this issue:

1. Remove all alias configs
2. Restart the addon
3. Add the alias config back
4. Restart the addon again

I tried that many times, but the issue remains.

[mansouryaacoubi]

It has been a long time since I've been working on Home Assistant but now since I set up our new home assistant at home I can still confirm that my fix/guide (see https://github.com/home-assistant/addons/issues/1331#issuecomment-780495261) is still working like a charm. Still I would call this a bug. But seems like the DuckDNS team doesn't have the time to fix it. At least it works.