Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security/acme-client: DNS Validation with DuckDNS #2060

Closed
chiwou opened this issue Oct 12, 2020 · 5 comments
Closed

security/acme-client: DNS Validation with DuckDNS #2060

chiwou opened this issue Oct 12, 2020 · 5 comments
Assignees
@fraenki
Labels
upstream Third party issue

Comments

@chiwou
Copy link

chiwou commented Oct 12, 2020
edited
Loading

DuckDNS doesn't allow subdomains, looked through the acmesh-official hub, and could find the info in the matching script.

https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_duckdns.sh

fulldomain may be 'domain.duckdns.org' (if using --domain-alias) or '_acme-challenge.domain.duckdns.org'
either way, return 'domain'. (**duckdns does not allow further subdomains** and restricts domains to [a-z0-9-].)

The OPNSENSE plugin tries to update the subdomain _acme-challenge.domain.duckdns.org

If I try the update manually the TXT record I get an "KO", but if I remove the subdomain "_acme-challenge" from the request I get an "OK"

os-acme-client (installed) | 1.36 | 392KiB | Let's Encrypt client

LOG - from bottom to top (removed token and txt record)
@fraenki fraenki self-assigned this Oct 14, 2020
@fraenki fraenki changed the title os-acme-client - DNS Validation with DuckDNS security/acme-client: DNS Validation with DuckDNS Oct 14, 2020
@fraenki
Copy link
Member

fraenki commented Oct 14, 2020

DuckDNS doesn't allow subdomains, looked through the acmesh-official hub, and could find the info in the matching script.

This seems to be correct. But the dns_duckdns.sh dnsapi file already implements a workaround for this:

https://github.com/acmesh-official/acme.sh/blob/f2d350002e7c387fad9777a42cf9befe34996c35/dnsapi/dns_duckdns.sh#L94-L107

However, it does not seem to work for all users, there is an upstream report for this issue: acmesh-official/acme.sh#2933.

@fraenki fraenki added the upstream Third party issue label Oct 14, 2020
@chiwou
Copy link
Author

chiwou commented Oct 15, 2020
edited
Loading

ahh ok, thanks, now I know what the DNS Alias Mode is for.
Now the certificate gets issued without an error

@chiwou chiwou closed this as completed Oct 15, 2020
@RafhaanShah
Copy link

Hey @chiwou could you give me a pointer as to which settings you used for the DNS Alias Mode, I'm having the same issue you did. Thanks!

@chiwou
Copy link
Author

chiwou commented Oct 23, 2020

@RafhaanShah yeah sure, I assume you've your API token

Common Name: yourdomain.duckdns.org I think you can even use a wildcard
DNS Alias Mode: Domain Alias Mode
Domain Alias: yourdomain.duckdns.org

@x56g
Copy link

x56g commented Dec 5, 2020
edited
Loading

i still run into this issue after setting domain alias. The logs still show "_acme-challenge." as domain prefix. maybe its related to #2128?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fraenki fraenki

Labels
upstream Third party issue
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chiwou @fraenki @RafhaanShah @x56g