Acme-challenge cname to DuckDNS to auth txt record

Marct27 · August 6, 2021, 11:39am

I am running dehydrated shell script and using duckdns to manage the update to the txt record for my domain thompson.org.za, I have a cname record for _acme-challenge.thompson.org.za pointing to duckdns and this works fine.

I am trying to replicate the same setup with another domain layer7.co.za but using nginx proxy manager which I see has duckdns built in.
If I request a certificate using the duckdns hostname this works fine how ever when I try to request a certificate for *.layer7.co.za using dns01 authentication I get thrown an error:

Error: Command failed: certbot certonly --non-interactive --cert-name "npm-6" --agree-tos --email "admin@layer7.co.za" --domains "*.layer7.co.za" --authenticator dns-duckdns --dns-duckdns-credentials "/etc/letsencrypt/credentials/credentials-6"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Encountered exception during recovery: certbot.errors.PluginError
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
   at ChildProcess.exithandler (node:child_process:326:12)
   at ChildProcess.emit (node:events:369:20)
   at maybeClose (node:internal/child_process:1067:16)
   at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)

Looking in to the logs I see that it seems to be failing on a regex lookup for root domain from certbot.

2021-08-06 11:37:03,378:DEBUG:acme.client:Storing nonce:
2021-08-06 11:37:03,379:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-08-06 11:37:03,379:INFO:certbot._internal.auth_handler:dns-01 challenge for meetings.layer7.co.za
2021-08-06 11:37:03,380:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_duckdns/cert/client.py", line 70, in _perform
    self._get_duckdns_client().set_txt_record(domain, validation)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_duckdns/duckdns/client.py", line 47, in set_txt_record
    root_domain = self.__get_validated_root_domain__(domain)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_duckdns/duckdns/client.py", line 66, in __get_validated_root_domain__
    assert VALID_DUCKDNS_DOMAIN_REGEX.match(root_domain)
AssertionError

Is this the intended behavior or am I missing something ?

rg305 · August 6, 2021, 10:25pm

Hi @Marct27, and welcome to the LE community forum

It's hard to argue with an outcome that has been programmed to do so.
So it is likely intentional.
I do think that you might be able to overcome that error by, either:

Ensure that you are using the correct credentials file for this domain:
[/etc/letsencrypt/credentials/credentials-6]
Ensure the domain should be matched by the __get_validated_root_domain__ check within the file: /opt/certbot/lib/python3.7/site-packages/certbot_dns_duckdns/duckdns/client.py
[not sure what exactly is being checked there since I don't have a copy of that file]
[but the domain might be on a restricted name list - maybe @lestaff can verify this possibility]

If neither fixes the problem, then you may have found a real bug.

webprofusion · August 7, 2021, 6:02am

Looking at the code it specifically expects a duckdns subdomain:

github.com

infinityofspace/certbot_dns_duckdns/blob/main/certbot_dns_duckdns/duckdns/client.py#L10


      
          import logging
          import re
          
          import requests
          
          # prevent urllib3 to log request with the api token
          logging.getLogger("urllib3").setLevel(logging.WARNING)
          
          BASE_URL = "https://www.duckdns.org/update"
          VALID_DUCKDNS_DOMAIN_REGEX = re.compile(r"^([a-z\d\\-]+\.)*[a-z\d\\-]+(\.duckdns\.org)?$")
          VALID_FULL_DUCKDNS_DOMAIN_REGEX = re.compile(r"^([a-z\d\\-]+\.)*[a-z\d\\-]+\.duckdns\.org$")
          
          
          def is_valid_duckdns_domain(domain):
              return VALID_DUCKDNS_DOMAIN_REGEX.match(domain) is not None
          
          
          def is_valid_full_duckdns_domain(domain):
              return VALID_FULL_DUCKDNS_DOMAIN_REGEX.match(domain) is not None

You could perhaps use the DNS alias mode of acme.sh as an alternative, I don't know if certbot supports DNS challenge delegation to a different domain.

You could also:

use your own DNS update script to set the TXT on duckdns.
or, move your DNS to a different host (e.g. Cloudflare is free)
or, use acme-dns (CNAME delegation)

Osiris · August 7, 2021, 8:10am

The issue here is indeed certbot does not support CNAMES for the DNS challenges. This is a known issue and a fix/feature was in the working but is quite old and hasn't seen updates since a few years unfortunately.

I'm afraid I'm not sure on how to fix this with certbot unless the above fix/feature has been integrated.

Marct27 · August 11, 2021, 9:21am

Thanks for all the info, I had a feeling it was something like that.
Will investigate alternatives.

/M

system · September 10, 2021, 9:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.