search

meonkeys / shb

Source code for an awesome book about self-hosting.
https://selfhostbook.com
GNU Affero General Public License v3.0
39 stars 2 forks source link

Invalid Cert Warning with Duck DNS #6

Open a-w-1806 opened 1 week ago

a-w-1806 commented 1 week ago

Hi! I am trying to follow 8.5.1. It's been an hour but I still see invalid cert warning.

reverse-proxy-1  | 2024-06-26T03:48:13Z ERR github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:469 > Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [<foo>.duckdns.org *.<foo>.duckdns.org]: error: one or more domains had a problem:\n[*.<foo>.duckdns.org] propagation: time limit exceeded: last error: DNS call error: read udp 172.19.0.2:43032->99.79.16.64:53: i/o timeout [ns=ns5.duckdns.org.:53, question='_acme-challenge.<foo>.duckdns.org. IN  TXT']\n[<foo>.duckdns.org] propagation: time limit exceeded: last error: DNS call error: read udp 172.19.0.2:41675->99.79.16.64:53: i/o timeout [ns=ns5.duckdns.org.:53, question='_acme-challenge.<foo>.duckdns.org. IN  TXT']\n" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["<foo>.duckdns.org","*.<foo>.duckdns.org"] providerName=myresolver.acme routerName=dashboard-https@docker rule=Host(`traefik.<foo>.duckdns.org`)

reverse-proxy-1  | 2024-06-26T04:09:59Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "traefik.<foo>.duckdns.org"
reverse-proxy-1  | 2024-06-26T04:10:00Z DBG log/log.go:245 > http: TLS handshake error from 172.16.249.1:62143: EOF

reverse-proxy-1  | 2024-06-26T04:13:51Z DBG log/log.go:245 > http: TLS handshake error from 172.16.249.1:62231: remote error: tls: unknown certificate

I checked the dig output of the addresses and they seems to be fine (I am not a network expert tho). Thanks!

meonkeys commented 1 week ago

Dang, sorry to hear it. This is exactly why I caution against Duck DNS in the book. Free, but they maybe use some aggressive realtime blocking or something? I recall some similar issues the last time I tried using Duck DNS. I don't know the issue here or, really, how to diagnose it.

You might just want to instead fork over the cash to buy a domain name from one of the registrars if that's an option for you. I think the last cheap one I got was something like $0.99 for a year (and I didn't renew it -- the renewal price was expensive).

meonkeys commented 1 week ago

Any luck? Assuming I'm correct about the Duck DNS throttling, if you have waited 24-48 hours they might have lifted a temporary ban.