[Feature Request] add aditional certbot third-party plugins dns-duckdns

[YD95]

---

Desired Behavior

It would be cool if swag certbot could perform a DNS-01challenge for a DuckDNS domain instead of using the limited duckdns TXT method. A third-party plugin for certbot already exists as listed here: https://eff-certbot.readthedocs.io/en/stable/using.html?highlight=duckdns#third-party-plugins
repository: https://github.com/infinityofspace/certbot_dns_duckdns

For certifying my domains I manually cli installed the plugin in the running docker instance (running on UnRaid) and used the plugin to perform an DNS-01 challenge.
example:
pip install certbot_dns_duckdns && \ certbot certonly -v \ --agree-tos \ --email ${EMAIL} \ --preferred-challenges dns \ --authenticator dns-duckdns \ --dns-duckdns-token ${DUCKDNSTOKEN} \ --dns-duckdns-propagation-seconds 300 \ -d "sub1.duckdns.org" \ -d "sub2.duckdns.org"

This could be implemented into the -e DNSPLUGIN.

Current Behavior

For certifying subdomains of of DuckDNS you either have to use the http or duckdns validation method. Both have different requirements that mostly work, but in my case didn't work.

[aptalca]

Our duckdns validation option already does a dns challenge.
That plugin does nothing that our current implementation doesn't. The plugin has the same restriction our implementation has: https://github.com/infinityofspace/certbot_dns_duckdns#usage
Note: You cannot create certificates for multiple DuckDNS domains with one certbot call.

[nemchik]

FYI #277 will introduce the use of the plugin you are referencing, but the plugin does the same thing our existing implementation does, so there will not be any new or different functionality.

Can you can provide more information about what you were trying to accomplish with the commands you were running (aside from wanting to use dns-01, which our current implementation already does).

[YD95]

My Docker container has a problem with certifying the subdomains form duckdns.org. http certification fails every time with several different errors, even though I verified that all ports, dns redirects and firewall works as intended. The duckdns implementation of yours already fails before it runs certbot. In addition the propagation time isn't considered. (or I don't think is, can't be sure, since it didn't get far enough in the code)

I was just looking for a certbot plugin, that could certify my subdomains that respects the propagation time and was easy to install and use.

For more info about what went wrong:
launch_docker container.txt
swag_container_log.txt
content_duckdns-txt.txt
content_.donoteditthisfile.conf.txt
response_curl_duckdns-txt.txt

The duckdns token here is censored. In the execution the correct token is provided.

The Docker container is running on a UnRaid server on the repository lscr.io/linuxserver/swag acquired form the Community Applications Changelog

[nemchik]

The value of the URL variable should be a fully qualified domain name that you own/control. You do not own/control duckdns.org. You do own/control your-subdomain.duckdns.org.

Because of how duckdns works, you can't obtain a certificate for multiple duckdns subdomains on a single certificate via DNS challenge. You can either do your-subdomain.duckdns.org or *.your-subdomain.duckdns.org (wildcard) but not both. Also (reiterating) you can't do your-subdomain.duckdns.org and your-subdomain2.duckdns.org on a single certificate via DNS challenge.

Your best option is to set

• VALIDATION=http
• URL=your-subdomain.duckdns.org
• EXTRA_DOMAINS=your-subdomain2.duckdns.org,your-subdomain3.duckdns.org (however many you have)

If you need wildcard certs, your best bet is to pick one duckdns subdomain and make everything a sub-subdomain of that. Ex:

• your-wildcard-subdomain.duckdns.org
• service1.your-wildcard-subdomain.duckdns.org
• service2.your-wildcard-subdomain.duckdns.org

And this requires entirely different variables for swag.

• VALIDATION=duckdns
• DUCKDNSTOKEN=your-token
• URL=your-wildcard-subdomain.duckdns.org
• SUBDOMAINS=wildcard

And with this method, you won't be using your-wildcard-subdomain.duckdns.org, just subdomains of it (see above).

Alternatively, buy a domain from cloudflare or namecheap or wherever you feel comfortable buying from (a .com costs about $10/yr) and you'll have more flexibility.

P.S. all of the above applies with our current implementation of duckdns validation (which used dns-01 challenges) or with the plugin you linked. I'm still looking into the plugin for other reasons, but having it won't change the limitations of duckdns.

[YD95]

I just ran your suggestion:

Your best option is to set
- VALIDATION=http
- URL=your-subdomain.duckdns.org
- EXTRA_DOMAINS=your-subdomain2.duckdns.org,your-subdomain3.duckdns.org (however many you have)

and it worked. I also found out why it didn't work before.
1st mistake of my part:

The value of the URL variable should be a fully qualified domain name that you own/control. You do not own/control duckdns.org. You do own/control your-subdomain.duckdns.org.

I had, as you stated, the wrong URL (duckdns.org instead of my-subdomain.duckdns.org)

2nd mistake of my part:
www.my-subdomain.duckdns.org, the www is required to verify the address over http. (It points to the nginx webservice of the container)
I only had all my subdomains listed in Variable SUBDOMAINS.

I'm aware about the limitations of dns-01 challenge with duckdns.

[nemchik]

www should not be required. Anyway, glad you got it working.