-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DuckDNS Alias domain fails dns-01 challenge #1331
Comments
Mines failing as well without using aliases. |
Same here, alias not working at all, and the config (which shows as valid) seems to be causing the addon to be unstable as well. The logs usually are empty, but occasionally it will show KO (backwards OK), or the failed challenge error on my custom domain. Edit: Looks like my error is a little different, seeing 403 response.
|
Had the same issue and found out what's going wrong: the duckdns addon always uses a dns-01 challenge when requesting a certificate. This only works when your provider supports an API for automated creation of DNS records, hence the error. This requires that you configure your router to forward port 80 to your home-assistant IP port 80 (this port will only be open during certificate renewall) I also changed the certfile and keyfile in the duckdns config to prevent them overwriting the letsencrypt certificates. The estencrypt addon has one drawback: it does not automatically renew certificates, so you will need to start it every few months. |
I had the same problem and solved it by creating a CNAME entry not just for the subdomain I want to use ha.mydomain.com but also for *.ha.mydomain.com I don't know much about the inner workings of the let's encrypt authentication but I assume a nameserver needs to be temporarily created that responds with the TXT entry for the challenge at a subdomain to the domain you want to use... Does this make sense? Maybe the instructions could be updated to reflect that? |
This is exactly what is missing from the documentation. Having two CNAME records is what is required to get the alias DNS challenge to work:
Thank you. Great find. |
I suspect there may still be an issue here - the workaround of adding the second CNAME didn't work for me. Instead, adding the second record changed the error from:
to:
The strange part is that the TXT record in the error changes each time I retry the challenge operation (I am uninstalling the duckdns hass.io addon with each retry to make sure old files are not used) - suggesting the TXT record is being successfully set on the domains DNS. Could the script somehow be attempting to verify the wrong token from the wrong domain? Below is my config, and the full log flow. Applicable domain DNS records:
Addon config:
Logs:
|
It did work once for me, but afterwards I also got the |
What worked for me is having these two CNAME records: |
Add instruction to make aliases work. Addressing the following issue home-assistant#1331
Add instruction to make aliases work. Addressing the following issue home-assistant#1331
Update: Nathang21's approach below is working Thanks for the update! Adding exactly these entries still gives me a 400 error. Tried twice with different domains. Config:
Log:
|
I've tried both of the solutions above, and the logs showed the Alias is successfully validated, but I had to reboot HA to get it to take (not just the addon for some reason). See below for the config + DNS records that worked for me: domains:
- myname.duckdns.org
- home.mydomain.com
aliases:
- domain: home.mydomain.com
alias: myname.duckdns.org |
I was unable to save off a CNAME of both *.home and home as I get a conflict error. I'm using Google Domains.
I also seem to have the challenge error still in my duck dns log. |
I tried this solution and it hasn't worked for me. I updated my DNS to the following (using cloudflare): I am still getting the 403 error (invalid token) |
Actually,
|
Thanks, but when I try removing mydomain.duckdns.org it no longer works over SSL. I can't find any way to have both domains supported. |
For that to work you need to configure a CNAME with your DNS provider |
I have cname's configured for my purchased domain as specified above. Do you think I am missing something else? To clarify, i want both home.mydomain.com and myname.duckdns.org to work both using letsencrypt SSL certs. |
What logs does the addon output? |
@houbie & @mfncl99 This worked for me:
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I originally suggested that the additional wildcard DNS entry for my alias domain solved the issue for me. I believe the reason for the failure is that both - the duckdns AND the alias domain - point to the same IP address and there are two challenges to be fulfilled by letsencrypt the txt record of one of the challenges will be incorrect. My workaround is a two step process which unfortunately won't allow the automatic renewal when using the alias:
Not sure who maintains the plugin but a possible software fix could be: I hope this can help someone else in a similar situation. |
After removing 'duckdns' from domains it worked for me too! Thanks 👍 |
Try _acme-challenge.xxx ---> _acme-challenge.xxx.duckdns.org That and removing the duckdns domain from the domains field seems to have worked for me. I really wish the devs had not depcrecated the lets encrypt addon in favor of the duckdns addon. I think they should have continued to develop the let's encrypt addon and added useful features like more DNS providers (Godaddy please) and also auto updating of close to expiry certs, heck even a UI ala pfsense acme certificates would be sweet. Instead they dropped Let's Encrypt for DuckDNS and now we have this wonky work around for people that want to use their own domains. I'm fine with the DuckDNS addon, I just think all it should do is provide dynamic dns and leave the certs to let's encrypt. Oh well guess I can't complain too much as I'm not a dev and don't have the time to learn how to do it myself. At least it's working for the most part, here's hoping in 90 days the cert gets updated. |
Although my experiences still seem quite inconsistent, I now have two installs where I got both my alias and DuckDNS domain working:
|
In case anyone's running into a similar issue, my problem was that I had set up the following CNAME record for my domain which (I believe?) was required before but now broke challenges:
Removing this record so that I only had the following fixed certificate renewals:
|
…t#1785) * 🐛 Fix problems with alias domains and dns-01 challenge And add some documentation to clarify a bit. Resolves home-assistant#1331 * Fix linter issue * Add changelog * Update config.json * Update config.json Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>
I was struggling with this for a while on my home assistant instance which has been left offline for months. mansouryaacoubi's guide helped me. |
…t#1785) * 🐛 Fix problems with alias domains and dns-01 challenge And add some documentation to clarify a bit. Resolves home-assistant#1331 * Fix linter issue * Add changelog * Update config.json * Update config.json Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>
This just happened to me also, had to remove the Aliases and restart duck dns. |
Same here. invalid TXT error. The workaround is working but i have to do it manually. Any chances to fix this? |
Just happened here on 2 HA servers running 1.15.0 of the DuckDNS Plugin. Had to remove my alias, restart the plugin, and then re-add the alias. |
Still an issue in Current version: 1.15.0.
|
I am using 1.15.0 and still the same issue. |
Can confirm still an issue |
Can confirm that this is still an issue as well. I just followed wgrziwa’s instructions and it worked like a charm. It seems like a relatively simple fix. Just need to do what he said and authorize and validate one dns entry at a time. I have add on set to auto update so hopefully in 3 months I won’t see the issue if an update gets pushed. |
This remains an issue with DuckDNS 1.15.0 It's to the point now where I'm unable to use my OWN domain and am just using the DuckDNS domain to access my site. I'm at a loss as to why this issue with the alias domain remains a problem after having been around and so thoroughly documented for SO LONG. |
This issue needs to be reopened for a proper fix. By closing it we are accepting this solution which indeed works however is not an acceptable long term solution. |
Still have the same issue with version 1.15.0, tried all workarounds. |
I do have a workaround for this issue:
|
I tried that many times, but the issue remains. |
It has been a long time since I've been working on Home Assistant but now since I set up our new home assistant at home I can still confirm that my fix/guide (see #1331 (comment)) is still working like a charm. Still I would call this a bug. But seems like the DuckDNS team doesn't have the time to fix it. At least it works. |
I can confirm, this bug still exists in 1.15.0. |
I found a hacky work-around for this issue:
domains:
- xxx.duckdns.org
aliases:
- domain: home.yourdomain.com
alias: xxx.duckdns.org
- domain: home.yourdomain.com
alias: xxx-alias.duckdns.org
If you're curious why this works, it's because we are able to trick the add-on into using two independent Hopefully this workaround doesn't get broken until we have another viable solution. A cleaner solution might be to clear our the |
Hmm, would it be better just to update this plugin / code. or create another fork of it? |
I'm not going to fork it since this solution seems to work for now, and I'm not going to spend time trying to update the code without some indication from the maintainers that they would be willing to accept a patch - it seems the plan at the moment is to remove support for aliases. This is probablly fine, if #3152 gets merged (but beware too of #2423 which was closed without a fix/doc update). In regards to your question about Step 4, there is only one CNAME per DNS name:
In regards to your other question, you can use either It doesn't matter, since DuckDNS domains are effectively DNS wildcards. |
ok, I have done according to your instructions, hope this helps on current version of current DuckDNS addon-on. How to reopen this issue so maintainers see is as active issue that is not resolved? (however it is linked to old fix, which is not it), And just to confirm your suggestion is for making SSL certificates to work on duckdns when using custom domain name, so it should be under #2505 ? |
Where do I do theese steps when using duckdns?? `3. In the DNS provider for your custom domain, create your desired CNAME record for accessing HomeAssistant, e.g.:
|
Still broken for me as of today - removing aliases and adding them didn't work for me |
Finally... I'm used to manually renew it since years but this workaround seems to work : #1331 (comment) |
When trying the new alias option in DuckDNS addon-on, the following gets generated (redacted is a placeholder name for a real domain I use, is personally identifiable data I have redacted):
I have added the following CNAME record to my redacted.net domain:
home >> redacted.duckdns.org
The configuration I am using is as follows:
The text was updated successfully, but these errors were encountered: