Acme-challenge cname to DuckDNS to auth txt record

I am running dehydrated shell script and using duckdns to manage the update to the txt record for my domain, I have a cname record for pointing to duckdns and this works fine.

I am trying to replicate the same setup with another domain but using nginx proxy manager which I see has duckdns built in.
If I request a certificate using the duckdns hostname this works fine how ever when I try to request a certificate for * using dns01 authentication I get thrown an error:

Error: Command failed: certbot certonly --non-interactive --cert-name "npm-6" --agree-tos --email "" --domains "*" --authenticator dns-duckdns --dns-duckdns-credentials "/etc/letsencrypt/credentials/credentials-6"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Encountered exception during recovery: certbot.errors.PluginError
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
   at ChildProcess.exithandler (node:child_process:326:12)
   at ChildProcess.emit (node:events:369:20)
   at maybeClose (node:internal/child_process:1067:16)
   at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)

Looking in to the logs I see that it seems to be failing on a regex lookup for root domain from certbot.

2021-08-06 11:37:03,378:DEBUG:acme.client:Storing nonce:
2021-08-06 11:37:03,379:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-08-06 11:37:03,379:INFO:certbot._internal.auth_handler:dns-01 challenge for
2021-08-06 11:37:03,380:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_duckdns/cert/", line 70, in _perform
    self._get_duckdns_client().set_txt_record(domain, validation)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_duckdns/duckdns/", line 47, in set_txt_record
    root_domain = self.__get_validated_root_domain__(domain)
  File "/opt/certbot/lib/python3.7/site-packages/certbot_dns_duckdns/duckdns/", line 66, in __get_validated_root_domain__
    assert VALID_DUCKDNS_DOMAIN_REGEX.match(root_domain)

Is this the intended behavior or am I missing something ?

1 Like

Hi @Marct27, and welcome to the LE community forum :slight_smile:

It's hard to argue with an outcome that has been programmed to do so.
So it is likely intentional.
I do think that you might be able to overcome that error by, either:

  • Ensure that you are using the correct credentials file for this domain:

  • Ensure the domain should be matched by the __get_validated_root_domain__ check within the file: /opt/certbot/lib/python3.7/site-packages/certbot_dns_duckdns/duckdns/
    [not sure what exactly is being checked there since I don't have a copy of that file]
    [but the domain might be on a restricted name list - maybe @lestaff can verify this possibility]

If neither fixes the problem, then you may have found a real bug.

Looking at the code it specifically expects a duckdns subdomain:

You could perhaps use the DNS alias mode of as an alternative, I don't know if certbot supports DNS challenge delegation to a different domain.

You could also:

  • use your own DNS update script to set the TXT on duckdns.
  • or, move your DNS to a different host (e.g. Cloudflare is free)
  • or, use acme-dns (CNAME delegation)
1 Like

The issue here is indeed certbot does not support CNAMES for the DNS challenges. This is a known issue and a fix/feature was in the working but is quite old and hasn't seen updates since a few years unfortunately.

I'm afraid I'm not sure on how to fix this with certbot unless the above fix/feature has been integrated.


Thanks for all the info, I had a feeling it was something like that.
Will investigate alternatives.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.