Don't know what content my text record should have


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
home.jamesking.co.uk
I ran this command:
I am using the home assistant duckdns.org add on here:
https://www.home-assistant.io/addons/duckdns/
It produced this output:
ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Incorrect TXT record “TbgfE52qv9DInN91lqvLmN3NllbGVBKgb9duqaEK4Zo” found at _acme-challenge.home.jamesking.co.uk”,
“status”: 403
}
My web server is (include version):
home asssistant
The operating system my web server runs on is (include version):
hass.os 1.13
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
i don’t know
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Duckdns add on 1.5

I know the above text record is wrong; and I know I need to fix it. I know how to change it; but I just don’t know what it should be; or how to find out what it should be?
Thank you,
James


#2

I think the problem is that you’re using a CNAME record to point home.jamesking.co.uk at jamesking.duckdns.org. That works, but your ACME client will want to create a certificate for home.jamesking.co.uk and it will do that by trying to set a TXT record on a subdomain of that domain… via the Duck DNS API. Which won’t work becase it’s not a Duck DNS subdomain, it’s just a CNAME that happens to be pointed at one.

There are some ACME clients that can handle this situation correctly, for example acme.sh, but if you prefer to handle things with the tools provided by Home Assistant I suggest you file a feature request for them to add a similar feature to their Duck DNS addon. Edit: I proposed a change, fingers crossed.

Another workaround might be to open port 80 and use the regular letsencrypt addon.


#3

Thank you. If I want to work around for now, should I set the let’s encrypt “accept terms” to false (this is in the duckdns add in) so that I don’t try and get a certificate from both addins?


#4

I’m not quite sure as I don’t use HA myself but it looks like that should work.


#5

This method workaround has worked! Thank you :slight_smile:

I also see you proposed a change which seems to pass a validation but there is a note there that you haven’t signed a CLA. I don’t know what that means particularly; but just thought I’d mention it here in case it stops your change being merged!

Ignore the above paragraph - looks like you have done the necessary CLA signing thing :slight_smile:

Cheers, and thank you for your direct and indirect help with this issue!

James