CNAME of duckdns domain fails to validate regex

[diamant-x]

certbot_dns_duckdns/certbot_dns_duckdns/duckdns/client.py

Line 10 in de15d9f

VALID_DUCKDNS_DOMAIN_REGEX = re.compile(r"^([a-z\d\\-]+\.)*[a-z\d\\-]+(\.duckdns\.org)?$")

Hi,
I'm trying to use Nginx proxy to emit LetsEncrypt certificates for my custom domains. My domains are CNAME of a subdomain.duckdns.org entity.
However, script seems to fail in the referenced code step after traversing the cname route and reaching the duckdns name.
In particular, i get the following in the logs (below). Not sure why, as such domain shold be the same for other sites without cname alias.

• Any ideas?

Thanks!

Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-7" --agree-tos --email "email@gmail.com" --domains "subdomain.mydomain.ml" --authenticator dns-duckdns --dns-duckdns-credentials "/etc/letsencrypt/credentials/credentials-7"
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Encountered exception during recovery: certbot.errors.PluginError: The domain "_acme-challenge.mysubdomain.duckdns.org" is not valid a duckdns subdomain.
The domain "_acme-challenge.mysubdomain.duckdns.org" is not valid a duckdns subdomain.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[infinityofspace]

Thanks for your error report.

Please add the full context to your problem. This includes especially the DNS configuration in the To Reproduce step of the involved domains and the versions of the tools.

For this purpose, please fill up the project issue template:

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior.

Expected behavior
A clear and concise description of what you expected to happen.

Certbot command
Specify the exact command of certbot. Make sure to anonymize your DuckDNS token and DuckDNS subdomain.

Versions (please complete the following version information):

• certbot: [you can use certbot --version to get the version]
• certbot_dns_duckdns: [you can use pip show certbot_dns_duckdns to get the version]

Additional context
Add any other context about the problem here.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[diamant-x]

I missed to update on this.

What exactly of 'DNS Configuration' should I share?
From the snippet the only config i have is "--domains "subdomain.mydomain.ml" --authenticator dns-duckdns"

Thanks.

[infinityofspace]

To debug the issue I need to know the exact DNS configuration and the whole issue context (like command, versions etc.). Therefore, please fill out the project issue template:

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior.

Expected behavior
A clear and concise description of what you expected to happen.

Certbot command
Specify the exact command of certbot. Make sure to anonymize your DuckDNS token and DuckDNS subdomain.

Versions (please complete the following version information):

• certbot: [you can use certbot --version to get the version]
• certbot_dns_duckdns: [you can use pip show certbot_dns_duckdns to get the version]

Additional context
Add any other context about the problem here.

About the DNS configuration: please specify the exact DNS entries, because it is important to know how the exact entries look like.
For example, you can specify the DNS configuration like it is described in the Readme (please anonymize the exact domain and subdomain, but keep the exact number of subdomain levels):

_acme-challenge.test.example.com. 600 IN CNAME one.example.com.
one.example.com. 600 IN CNAME two.example.com.
two.example.com. 600 IN CNAME abc.duckdns.org.

I am reopening this issue after the requested information has been provided.

[diamant-x]

Because it is embedded in nginx proxy server it might be a bit tricky to obtain the needed information, but i'll try my best.

Describe the bug
I'm trying to use Nginx proxy to emit LetsEncrypt certificates for my custom domains, which are cnamed in cloudflare to manually point to a duckdns subdomain.
It fails to do so.

To Reproduce

• In duckdns, create a subdomain.duckdns.org
• in freenom, create a domain.ml
• In Cloudflare, set it up as the DNS authoritative server for the domain.ml.
• In cloudflare, Setup two CNAME entries: subdomain.domain.ml pointing to subdomain.duckdns.org and _acme-challenge.subdomain.domain.ml pointing to _acme-challenge.subdomain.duckdns.org
• . Install nginx proxy Manager.
• . Setup new Proxy Host, with the domainNames: "subdomain.domain.ml", Scheme:'http', IP:'local ip', port:'localport'.
• Setup SSL option, to 'Request new SSL Certificate' using 'DNS Challenge'. DNSProvider:"DuckDNS".

Expected behavior
certbot creates the txt record in duckdns.org.
certbot triggers let's encrypt cert request challenge to the subdomain.domain.ml (which will point to the updated txt in duckdns).
certificate is generated automatically.

Certbot command
certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-9" --agree-tos --email "mail@gmail.com" --domains "subdomain.domain.ml" --authenticator dns-duckdns --dns-duckdns-credentials dns_duckdns_token=00000000-0000-0000-0000-0000000000000

Encountered exception during recovery: certbot.errors.PluginError: The domain "_acme-challenge.subdomain.duckdns.org" is not valid a duckdns subdomain.
The domain "_acme-challenge.subdomain.duckdns.org" is not valid a duckdns subdomain.

Versions (please complete the following version information):

• certbot-dns-duckdns~=0.9
• NGINX_PROXY_MANAGER_VERSION="v2.10.2"

Additional context
I know DNS cname is working because i can see the duckdns IP when doing a tracer to the sudomain.domain.ml hostname.

Thanks.

[infinityofspace]

Thanks for providing the requested information.

The error is caused by the fact that you have created the wrong DNS CNAME record for the challenge:

In cloudflare, Setup two CNAME entries: subdomain.domain.ml pointing to subdomain.duckdns.org and _acme-challenge.subdomain.domain.ml pointing to _acme-challenge.subdomain.duckdns.org

A DNS CNAME entry must be created as specified in the Readme, which looks like the following:
_acme-challenge.test.example.com CNAME abc.duckdns.org

So delete the current CNAME entry _acme-challenge.subdomain.domain.ml CNAME _acme-challenge.subdomain.duckdns.org and create a new one _acme-challenge.subdomain.domain.ml CNAME subdomain.duckdns.org. This should fix the problem

Note: you are using an almost 1 year old unstable version (0.9) of the plugin. The current stable version is 1.3.

[diamant-x]

I feel stupid it was as easy as that.
Thanks for your support, is working fine now!

I'll try to open a Ticket at nginx proxy manager site for them to upgrade the certbot duckdns version too.