search

home-assistant / addons

:heavy_plus_sign: Docker add-ons for Home Assistant
https://home-assistant.io/hassio/
Apache License 2.0
1.53k stars 1.49k forks source link

DuckDNS Alias domain fails dns-01 challenge #1331

Closed AieatAssam closed 3 years ago

AieatAssam commented 4 years ago

When trying the new alias option in DuckDNS addon-on, the following gets generated (redacted is a placeholder name for a real domain I use, is personally identifiable data I have redacted):

# INFO: Using main config file /data/workdir/config
Processing redacted.duckdns.org with alternative names: home.redacted.net
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: redacted.duckdns.org
 + Configured names: redacted.duckdns.org home.redacted.net
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Aug 18 09:02:44 2020 GMT Certificate will not expire
(Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for redacted.duckdns.org
 + Found valid authorization for redacted.duckdns.org
 + Handling authorization for home.redacted.net
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for home.redacted.net authorization...
 + Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.redacted.net - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/<SNIP>/<SNIP>",
  "token": "<SNIP>"
})

I have added the following CNAME record to my redacted.net domain:

home >> redacted.duckdns.org

The configuration I am using is as follows:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: <SNIP>
domains:
  - redacted.duckdns.org
  - home.redacted.net
aliases:
  - domain: home.redacted.net
    alias: redacted.duckdns.org
seconds: 300
mx4k commented 1 year ago

I can confirm, this bug still exists in 1.15.0.

joedj commented 1 year ago

I found a hacky work-around for this issue:

  1. Create your DuckDNS account
  2. Create two domains in DuckDNS:
    • xxx.duckdns.org: This is the domain that will be used for the dns-01 challenge on your DuckDNS hostname. Its A record will point to your home IP.
    • xxx-alias.duckdns.org: This is the domain that will be used for the dns-01 challenge on your custom alias. Its A record does not matter - you can manually set it to something like 127.0.0.1
      1. In the DNS provider for your custom domain, create your desired CNAME record for accessing HomeAssistant, e.g.: home.yourdomain.com CNAME xxx.duckdns.org
  3. In the DNS provider for your custom domain, create another CNAME record for the ACME challenge TXT record, e.g.: _acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org
  4. Install the DuckDNS add-on, and configure it like this: 
    domains:
- xxx.duckdns.org
aliases:
- domain: home.yourdomain.com
alias: xxx.duckdns.org
- domain: home.yourdomain.com
alias: xxx-alias.duckdns.org
  5. Start DuckDNS
  6. Rejoice. You should now have a certificate that is valid for both home.yourdomain.com and xxx.duckdns.org, and which will successfully auto-renew.

If you're curious why this works, it's because we are able to trick the add-on into using two independent TXT records for the two ACME challenges, rather than fighting over a single record: a) This code only processes aliases config that has a matching entry in the domains list. That is why we need the first entry in the aliases list, it serves no other purpose. b) This code is what actually maps your custom alias to a DuckDNS domain name, when updating the TXT record for the ACME challenge. It picks whatever the last matching entry is, so it maps home.yourdomain.com -> xxx-alias.duckdns.org, and updates that TXT record. This matches our earlier DNS configuration for _acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org.

Hopefully this workaround doesn't get broken until we have another viable solution.

A cleaner solution might be to clear our the TXT records in hook.sh#startup_hook, and then append to them in hook.sh#deploy_challenge rather than overwriting them. If the maintainers are interested, I could have a go at preparing a PR, but there doesn't seem to be much interest in fixing this...

hkusulja commented 1 year ago

Hmm, would it be better just to update this plugin / code. or create another fork of it? Anyhow, I am not sure I understand step 4. Since there is already one CNAME and there can be only one CNAME per DNS record. Also if need to modify existing _acme-challenge.home.yourdomain.com, should be under _acme-challenge.domain.duckdns.org ?

joedj commented 1 year ago

I'm not going to fork it since this solution seems to work for now, and I'm not going to spend time trying to update the code without some indication from the maintainers that they would be willing to accept a patch - it seems the plan at the moment is to remove support for aliases. This is probablly fine, if https://github.com/home-assistant/addons/pull/3152 gets merged (but beware too of https://github.com/home-assistant/addons/issues/2423 which was closed without a fix/doc update).

In regards to your question about Step 4, there is only one CNAME per DNS name:

  1. home.yourdomain.com CNAME xxx.duckdns.org
  2. _acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org

In regards to your other question, you can use either _acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org or _acme-challenge.home.yourdomain.com CNAME _acme-challenge.xxx-alias.duckdns.org or _acme-challenge.home.yourdomain.com CNAME whatever.xxx-alias.duckdns.org

It doesn't matter, since DuckDNS domains are effectively DNS wildcards. xxx-alias.duckdns.org and *.xxx-alias.duckdns.org will all respond with the same TXT record.

hkusulja commented 1 year ago

ok, I have done according to your instructions, hope this helps on current version of current DuckDNS addon-on. Thank you !

How to reopen this issue so maintainers see is as active issue that is not resolved? (however it is linked to old fix, which is not it), And just to confirm your suggestion is for making SSL certificates to work on duckdns when using custom domain name, so it should be under https://github.com/home-assistant/addons/issues/2505 ?

nikee73 commented 1 year ago

Where do I do theese steps when using duckdns??

`3. In the DNS provider for your custom domain, create your desired CNAME record for accessing HomeAssistant, e.g.: home.yourdomain.com CNAME xxx.duckdns.org

  1. In the DNS provider for your custom domain, create another CNAME record for the ACME challenge TXT record, e.g.: _acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org`
MartinBlackburn commented 8 months ago

Still broken for me as of today - removing aliases and adding them didn't work for me However, @joedj's workaround did: https://github.com/home-assistant/addons/issues/1331#issuecomment-1722300924

lemick007 commented 4 months ago

Finally... I'm used to manually renew it since years but this workaround seems to work : https://github.com/home-assistant/addons/issues/1331#issuecomment-1722300924 ... not ideal fix but this is nice, thx!