DuckDNS Alias domain fails dns-01 challenge

[AieatAssam]

When trying the new alias option in DuckDNS addon-on, the following gets generated (redacted is a placeholder name for a real domain I use, is personally identifiable data I have redacted):

# INFO: Using main config file /data/workdir/config
Processing redacted.duckdns.org with alternative names: home.redacted.net
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: redacted.duckdns.org
 + Configured names: redacted.duckdns.org home.redacted.net
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Aug 18 09:02:44 2020 GMT Certificate will not expire
(Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for redacted.duckdns.org
 + Found valid authorization for redacted.duckdns.org
 + Handling authorization for home.redacted.net
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for home.redacted.net authorization...
 + Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.home.redacted.net - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/<SNIP>/<SNIP>",
  "token": "<SNIP>"
})

I have added the following CNAME record to my redacted.net domain:

home >> redacted.duckdns.org

The configuration I am using is as follows:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: <SNIP>
domains:
  - redacted.duckdns.org
  - home.redacted.net
aliases:
  - domain: home.redacted.net
    alias: redacted.duckdns.org
seconds: 300

[johanson]

Mines failing as well without using aliases.

[nathang21]

Same here, alias not working at all, and the config (which shows as valid) seems to be causing the addon to be unstable as well.

The logs usually are empty, but occasionally it will show KO (backwards OK), or the failed challenge error on my custom domain.

Edit: Looks like my error is a little different, seeing 403 response.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[10:17:00] INFO: KO
# INFO: Using main config file /data/workdir/config
Processing <REDACTED-DOMAIN>.duckdns.org with alternative names: <REDACTED-DOMAIN>
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: <REDACTED-DOMAIN>.duckdns.org
 + Configured names: <REDACTED-DOMAIN> <REDACTED-DOMAIN>.duckdns.org
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Aug 10 14:45:43 2020 GMT Certificate will not expire
(Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for <REDACTED-DOMAIN>
 + Found valid authorization for <REDACTED-DOMAIN>.duckdns.org
 + Handling authorization for <REDACTED-DOMAIN>
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for <REDACTED-DOMAIN> authorization...
 + Cleaning challenge tokens...
OK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "No TXT record found at _acme-challenge.<REDACTED-DOMAIN>",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4913094965/hNe9aw",
  "token": "<REDACTED-TOKEN>"
})

[houbie]

Had the same issue and found out what's going wrong: the duckdns addon always uses a dns-01 challenge when requesting a certificate. This only works when your provider supports an API for automated creation of DNS records, hence the error.
My workaround is to use the duckdns addon only for IP address resolution and use the lestencrypt addon for the certificates (this addon supports both dns-01 and http-01).

This requires that you configure your router to forward port 80 to your home-assistant IP port 80 (this port will only be open during certificate renewall)

I also changed the certfile and keyfile in the duckdns config to prevent them overwriting the letsencrypt certificates.

The estencrypt addon has one drawback: it does not automatically renew certificates, so you will need to start it every few months.

[wgrziwa]

I had the same problem and solved it by creating a CNAME entry not just for the subdomain I want to use ha.mydomain.com but also for *.ha.mydomain.com

I don't know much about the inner workings of the let's encrypt authentication but I assume a nameserver needs to be temporarily created that responds with the TXT entry for the challenge at a subdomain to the domain you want to use... Does this make sense?

Maybe the instructions could be updated to reflect that?

[AieatAssam]

I had the same problem and solved it by creating a CNAME entry not just for the subdomain I want to use ha.mydomain.com but also for *.ha.mydomain.com

I don't know much about the inner workings of the let's encrypt authentication but I assume a nameserver needs to be temporarily created that responds with the TXT entry for the challenge at a subdomain to the domain you want to use... Does this make sense?

Maybe the instructions could be updated to reflect that?

This is exactly what is missing from the documentation. Having two CNAME records is what is required to get the alias DNS challenge to work:

1. something ==> something.duckdns.org
2. *.something ==> something.duckdns.org

Thank you. Great find.

[mfncl99]

I suspect there may still be an issue here - the workaround of adding the second CNAME didn't work for me. Instead, adding the second record changed the error from:

"detail": "No TXT record found at _acme-challenge.ha<REDACTED>.com",

to:

"detail": "Incorrect TXT record \"YwtxSXpjvTRJZgyLyFOWf5qTAQpFgcf-ufqFIqAAumw\" found at _acme-challenge.ha.<REDACTED>.com",

The strange part is that the TXT record in the error changes each time I retry the challenge operation (I am uninstalling the duckdns hass.io addon with each retry to make sure old files are not used) - suggesting the TXT record is being successfully set on the domains DNS.

Could the script somehow be attempting to verify the wrong token from the wrong domain?

Below is my config, and the full log flow.

Applicable domain DNS records:

*.ha 3600 IN CNAME <REDACTED>.duckdns.org.
ha 1800 IN CNAME <REDACTED>.duckdns.org.

Addon config:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: <REDACTED>
domains:
  - <REDACTED>.duckdns.org
  - ha.<REDACTED>.com
aliases:
  - domain: ha.<REDACTED>.com
    alias: <REDACTED>.duckdns.org
seconds: 300

Logs:

[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
+ Done!
[09:15:52] INFO: KO
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing markfulton.duckdns.org with alternative names: ha.<REDACTED>.com
 + Creating new directory /data/letsencrypt/<REDACTED>.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for ha.<REDACTED>.com
 + Handling authorization for <REDACTED>.duckdns.org
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OKOK + Responding to challenge for ha.<REDACTED>.com authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"YwtxSXpjvTRJZgyLyFOWf5qTAQpFgcf-ufqFIqAAumw\" found at _acme-challenge.ha.<REDACTED>.com",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5188805052/oPNEcQ",
  "token": "<REDACTED>"
})

[houbie]

It did work once for me, but afterwards I also got the Incorrect TXT record error
So I had to switch back to the he lestencrypt addon :(

[paalex]

What worked for me is having these two CNAME records:
ha.my-own-domain.com -> my-duck-domain.duckdns.org
_acme-challenge.ha.my-own-domain.com -> _acme-challenge.my-duck-domain.duckdns.org

[thomashogema]

Update: Nathang21's approach below is working

Thanks for the update!

Adding exactly these entries still gives me a 400 error. Tried twice with different domains.

Config:

domains:
  - myname.duckdns.org
  - ha.mydomain.tk
aliases:
  - domain: ha.mydomain.tk
    alias: myname.duckdns.org

Log:

ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ha.<REDACTED>.tk - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5751496123/abcd",
  "token": "<REDACTED>"
})

[nathang21]

I've tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason).

See below for the config + DNS records that worked for me:

domains:  
  - myname.duckdns.org 
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

[FordMustang0288]

I've tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason).

See below for the config + DNS records that worked for me:

domains:  
  - myname.duckdns.org 
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

I was unable to save off a CNAME of both *.home and home as I get a conflict error. I'm using Google Domains.

1. Is it safe to say that your first CNAME is _acme-challenge.home.duckdns.org?
2. How does the port number come into play with either your duckdns and/or domain setup? If I leave it out as you have done, I just get directed to my public IP and not necessarily to HA.

I also seem to have the challenge error still in my duck dns log.

[nathang21]

I've tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason).
See below for the config + DNS records that worked for me:

domains:  
  - myname.duckdns.org 
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

I was unable to save off a CNAME of both *.home and home as I get a conflict error. I'm using Google Domains.

1. Is it safe to say that your first CNAME is _acme-challenge.home.duckdns.org?
2. How does the port number come into play with either your duckdns and/or domain setup? If I leave it out as you have done, I just get directed to my public IP and not necessarily to HA.

I also seem to have the challenge error still in my duck dns log.

I just added the * (wildcard) to ensure I could validate all the domains needed by LetsEncrypt. I don't think it's actually needed, but someone above suggested it. Home is just my preferred subdomain, so you can use that (or swap for your own), as long as the _acme-challenge is a subdomain of the subdomain you choose.

1. What do you mean by "first" CNAME? The order shouldn't matter, I can sort them alphabetically or via other means.
2. Port numbers are not relevant for DNS records. The domain name just points to an IP address (or another domain which points to an IP address eventually). Your browser will use port 80 (or 443 for https) by default, unless you specify another port in your URI. However, you will likely need to port forward port 80 or 443 --> to 8123 (default homeassistant port) for TCP to the IP address of your homeassistant device on your home router. If you don't want that IP address to change randomly when the device reboots, you also want to set a static IP address (via a DHCP IP reservation). Most routers should have these settings, I have mine configured via my Google WiFi app. The regular docs should have instructions for this, as this isn't really specific to duckdns.

[brent0np]

I've tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason).

See below for the config + DNS records that worked for me:

domains:  
  - myname.duckdns.org 
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

I tried this solution and it hasn't worked for me. I updated my DNS to the following (using cloudflare):
CNAME _acme-challenge.ha.mydomain.com -> _acme-challenge.xxx.duckdns.org
CNAME *.ha.mydomain.com -> xxx.duckdns.org
CNAME ha.mydomain.com -> xxx.duckdns.org

I am still getting the 403 error (invalid token)

[kroshilin]

Actually, CNAME *.mydomain.com -> mydomain.duckdns.org is enough. No need to create _acme-challenge.
In addition to replies above, try to remove mydomain.duckdns.org from domains array:

domains:
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

[brent0np]

Actually, CNAME *.mydomain.com -> mydomain.duckdns.org is enough. No need to create _acme-challenge.
In addition to replies above, try to remove mydomain.duckdns.org from domains array:

domains:
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

Thanks, but when I try removing mydomain.duckdns.org it no longer works over SSL. I can't find any way to have both domains supported.

[ludeeus]

For that to work you need to configure a CNAME with your DNS provider

[brent0np]

For that to work you need to configure a CNAME with your DNS provider

I have cname's configured for my purchased domain as specified above. Do you think I am missing something else? To clarify, i want both home.mydomain.com and myname.duckdns.org to work both using letsencrypt SSL certs.

[ludeeus]

What logs does the addon output?

[p-rintz]

It did work once for me, but afterwards I also got the Incorrect TXT record error
So I had to switch back to the he lestencrypt addon :(

@houbie & @mfncl99
The issue is the second duckdns domain. Simply leaving it out will result in a successful challenge. I agree that the duckdns addon seemingly sets the wrong txt record for the domain it is currently trying to validate. (i.e. for domain A while trying to validate domain B)

This worked for me:

domains:
  - ha.<REDACTED>.com
aliases:
  - domain: ha.<REDACTED>.com
    alias: <REDACTED>.duckdns.org

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[wgrziwa]

I originally suggested that the additional wildcard DNS entry for my alias domain solved the issue for me.
Now after my certificate expired I have to report that it didn't fix the issue but I have a workaround.

I believe the reason for the failure is that both - the duckdns AND the alias domain - point to the same IP address and there are two challenges to be fulfilled by letsencrypt the txt record of one of the challenges will be incorrect.

My workaround is a two step process which unfortunately won't allow the automatic renewal when using the alias:

1. Remove the alias domain and just create the certificate for the duckdns domain. After a restart the challenge was successfully validated.
2. Add the alias domain and restart again. This only validated the alias domain and worked without a problem.
   This just confirmed the SSL certificate but I also needed to restart the server to activate the new certificate as someone previously mentioned.

Not sure who maintains the plugin but a possible software fix could be:
If multiple challenges are required setup one TXT record for the first challenge and after successful validation do the same for the second challenge.

I hope this can help someone else in a similar situation.

[urukalo]

Actually, CNAME *.mydomain.com -> mydomain.duckdns.org is enough. No need to create _acme-challenge.
In addition to replies above, try to remove mydomain.duckdns.org from domains array:

domains:
  - home.mydomain.com 
aliases:  
  - domain: home.mydomain.com
    alias: myname.duckdns.org

Thanks, but when I try removing mydomain.duckdns.org it no longer works over SSL. I can't find any way to have both domains supported.

It did work once for me, but afterwards I also got the Incorrect TXT record error
So I had to switch back to the he lestencrypt addon :(

@houbie & @mfncl99
The issue is the second duckdns domain. Simply leaving it out will result in a successful challenge. I agree that the duckdns addon seemingly sets the wrong txt record for the domain it is currently trying to validate. (i.e. for domain A while trying to validate domain B)

This worked for me:

domains:
  - ha.<REDACTED>.com
aliases:
  - domain: ha.<REDACTED>.com
    alias: <REDACTED>.duckdns.org

After removing 'duckdns' from domains it worked for me too! Thanks 👍

[tduffy83]

Try _acme-challenge.xxx ---> _acme-challenge.xxx.duckdns.org

That and removing the duckdns domain from the domains field seems to have worked for me. I really wish the devs had not depcrecated the lets encrypt addon in favor of the duckdns addon. I think they should have continued to develop the let's encrypt addon and added useful features like more DNS providers (Godaddy please) and also auto updating of close to expiry certs, heck even a UI ala pfsense acme certificates would be sweet. Instead they dropped Let's Encrypt for DuckDNS and now we have this wonky work around for people that want to use their own domains. I'm fine with the DuckDNS addon, I just think all it should do is provide dynamic dns and leave the certs to let's encrypt. Oh well guess I can't complain too much as I'm not a dev and don't have the time to learn how to do it myself. At least it's working for the most part, here's hoping in 90 days the cert gets updated.

[thomashogema]

Although my experiences still seem quite inconsistent, I now have two installs where I got both my alias and DuckDNS domain working:

1. Let DuckDNS request a certificate for the alias like suggested above (both the wildcard CNAME redirect and only include alias in the domain list).
2. After the challenge has completed, add mydomain.duckdns.org to the domains and restart the addon. Now it resolves flawlessly

[vsaarinen]

In case anyone's running into a similar issue, my problem was that I had set up the following CNAME record for my domain which (I believe?) was required before but now broke challenges:

CNAME     _acme-challenge.home      _acme-challenge.example.duckdns.org

Removing this record so that I only had the following fixed certificate renewals:

CNAME     *.home      example.duckdns.org
CNAME       home      example.duckdns.org

[Xebozone]

I was struggling with this for a while on my home assistant instance which has been left offline for months.

mansouryaacoubi's guide helped me.
I already had everything working before, but kept getting the "invalid TXT" error.
Replacing aliases with [], restarting, letting it generate the cert, and then adding my aliases back solved it. I think this is still a bug in DuckDNS. It should not have been necessary to remove and re-add aliases

[MaikaiLife]

This just happened to me also, had to remove the Aliases and restart duck dns.

[harisma-git]

Same here. invalid TXT error. The workaround is working but i have to do it manually. Any chances to fix this?

[deanjarnold]

Just happened here on 2 HA servers running 1.15.0 of the DuckDNS Plugin.

Had to remove my alias, restart the plugin, and then re-add the alias.

[diamant-x]

Still an issue in Current version: 1.15.0.
Any chance this issue ticket can be reopened to bring attention back?

 + Received 2 authorizations URLs from the CA
 + Handling authorization for mydomain.duckdns.org
 + Handling authorization for myalias.domain.com
 + 2 pending challenge(s)
 + Deploying challenge tokens...
OKOK + Responding to challenge for mydomain.duckdns.org authorization...
 + Cleaning challenge tokens...
OKOK + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"dns-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:unauthorized"
["error","detail"]	"Incorrect TXT record \"ABC123REDACTED321CBA\" found at _acme-challenge.mydomain.duckdns.org"
["error","status"]	403
["error"]	{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"ABC123REDACTED321CBA\" found at _acme-challenge.mydomain.duckdns.org","status":403}

[hkusulja]

I am using 1.15.0 and still the same issue.
removing aliases, rerun, and readding again helped
Please reopen to fully fix, thank you

[Xebozone]

Can confirm still an issue

[rpruden]

Can confirm that this is still an issue as well. I just followed wgrziwa’s instructions and it worked like a charm.

It seems like a relatively simple fix. Just need to do what he said and authorize and validate one dns entry at a time.

I have add on set to auto update so hopefully in 3 months I won’t see the issue if an update gets pushed.

[Rusti-gotrage]

This remains an issue with DuckDNS 1.15.0

It's to the point now where I'm unable to use my OWN domain and am just using the DuckDNS domain to access my site.

I'm at a loss as to why this issue with the alias domain remains a problem after having been around and so thoroughly documented for SO LONG.

[sushant-here]

This issue needs to be reopened for a proper fix. By closing it we are accepting this solution which indeed works however is not an acceptable long term solution.

[Nerada]

Still have the same issue with version 1.15.0, tried all workarounds.

[rokam]

I do have a workaround for this issue:

1. Remove all alias configs
2. Restart the addon
3. Add the alias config back
4. Restart the addon again

[Nerada]

I do have a workaround for this issue:

1. Remove all alias configs
2. Restart the addon
3. Add the alias config back
4. Restart the addon again

I tried that many times, but the issue remains.

[mansouryaacoubi]

It has been a long time since I've been working on Home Assistant but now since I set up our new home assistant at home I can still confirm that my fix/guide (see #1331 (comment)) is still working like a charm. Still I would call this a bug. But seems like the DuckDNS team doesn't have the time to fix it. At least it works.

[mx4k]

I can confirm, this bug still exists in 1.15.0.

[joedj]

I found a hacky work-around for this issue:

1. Create your DuckDNS account
2. Create two domains in DuckDNS:

• xxx.duckdns.org: This is the domain that will be used for the dns-01 challenge on your DuckDNS hostname. Its A record will point to your home IP.
• xxx-alias.duckdns.org: This is the domain that will be used for the dns-01 challenge on your custom alias. Its A record does not matter - you can manually set it to something like 127.0.0.1

3. In the DNS provider for your custom domain, create your desired CNAME record for accessing HomeAssistant, e.g.:
   home.yourdomain.com CNAME xxx.duckdns.org
4. In the DNS provider for your custom domain, create another CNAME record for the ACME challenge TXT record, e.g.:
   _acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org
5. Install the DuckDNS add-on, and configure it like this:

domains:
  - xxx.duckdns.org
aliases:
  - domain: home.yourdomain.com
    alias: xxx.duckdns.org
  - domain: home.yourdomain.com
    alias: xxx-alias.duckdns.org

6. Start DuckDNS
7. Rejoice. You should now have a certificate that is valid for both home.yourdomain.com and xxx.duckdns.org, and which will successfully auto-renew.

If you're curious why this works, it's because we are able to trick the add-on into using two independent TXT records for the two ACME challenges, rather than fighting over a single record:
a) This code only processes aliases config that has a matching entry in the domains list. That is why we need the first entry in the aliases list, it serves no other purpose.
b) This code is what actually maps your custom alias to a DuckDNS domain name, when updating the TXT record for the ACME challenge. It picks whatever the last matching entry is, so it maps home.yourdomain.com -> xxx-alias.duckdns.org, and updates that TXT record. This matches our earlier DNS configuration for _acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org.

Hopefully this workaround doesn't get broken until we have another viable solution.

A cleaner solution might be to clear our the TXT records in hook.sh#startup_hook, and then append to them in hook.sh#deploy_challenge rather than overwriting them. If the maintainers are interested, I could have a go at preparing a PR, but there doesn't seem to be much interest in fixing this...

[hkusulja]

Hmm, would it be better just to update this plugin / code. or create another fork of it?
Anyhow, I am not sure I understand step 4. Since there is already one CNAME and there can be only one CNAME per DNS record. Also if need to modify existing _acme-challenge.home.yourdomain.com, should be under _acme-challenge.domain.duckdns.org ?

[joedj]

I'm not going to fork it since this solution seems to work for now, and I'm not going to spend time trying to update the code without some indication from the maintainers that they would be willing to accept a patch - it seems the plan at the moment is to remove support for aliases. This is probablly fine, if #3152 gets merged (but beware too of #2423 which was closed without a fix/doc update).

In regards to your question about Step 4, there is only one CNAME per DNS name:

1. home.yourdomain.com CNAME xxx.duckdns.org
2. _acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org

In regards to your other question, you can use either
_acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org or
_acme-challenge.home.yourdomain.com CNAME _acme-challenge.xxx-alias.duckdns.org or
_acme-challenge.home.yourdomain.com CNAME whatever.xxx-alias.duckdns.org

It doesn't matter, since DuckDNS domains are effectively DNS wildcards. xxx-alias.duckdns.org and *.xxx-alias.duckdns.org will all respond with the same TXT record.

[hkusulja]

ok, I have done according to your instructions, hope this helps on current version of current DuckDNS addon-on.
Thank you !

How to reopen this issue so maintainers see is as active issue that is not resolved? (however it is linked to old fix, which is not it), And just to confirm your suggestion is for making SSL certificates to work on duckdns when using custom domain name, so it should be under #2505 ?

[nikee73]

Where do I do theese steps when using duckdns??

`3. In the DNS provider for your custom domain, create your desired CNAME record for accessing HomeAssistant, e.g.:
home.yourdomain.com CNAME xxx.duckdns.org

4. In the DNS provider for your custom domain, create another CNAME record for the ACME challenge TXT record, e.g.:
   _acme-challenge.home.yourdomain.com CNAME xxx-alias.duckdns.org`

[MartinBlackburn]

Still broken for me as of today - removing aliases and adding them didn't work for me
However, @joedj's workaround did: #1331 (comment)

[lemick007]

Finally... I'm used to manually renew it since years but this workaround seems to work : #1331 (comment)
... not ideal fix but this is nice, thx!