DNS-DuckDNS does not renew


  • Not sure when it occurred but the DNS-DuckDNS ACME feature is trying to push _acme-challenge.<domain> to DuckDNS to update the TXT record with them. This results in a KO (thus not updating the TXT record for acme validation).

    For ACME to DuckDNS it does not matter where the TXT record is pushed as DuckDNS publishes this as a wildcard record.
    https://www.duckdns.org/spec.jsp

    Could not figure out if something happened in the ACME package, but automatic renewal stopped working somewhere in the last ~45-60 days.

    So has something changed to the configuration? as the logfiles clearly show that the HTTP API is called with the _acme-challenge.
    Oh something changed: https://github.com/pfsense/FreeBSD-ports/commit/52dc75765cf5610985a2a6ba175f7e67714800c8#diff-2cb7db41d3c31b1e9a1b39707fd41c0254a5ed02b070682cff2624a8224ad558



  • Same issue here.

    Still no fix. :(


  • Can you share more details about the errors you are getting?
    My cert will expire soon


  • @mcury said in DNS-DuckDNS does not renew:

    Can you share more details about the errors you are getting?
    My cert will expire soon

    When DuckDNS cert goes to renew, it fails:

    [Mon Jan 11 08:29:02 EST 2021] d='yourDomain.duckdns.org'
    [Mon Jan 11 08:29:02 EST 2021] _d_alias
    [Mon Jan 11 08:29:02 EST 2021] txtdomain='_acme-challenge.yourDomain.duckdns.org'
    [Mon Jan 11 08:29:02 EST 2021] base64 single line.
    [Mon Jan 11 08:29:02 EST 2021] txt='responseCode'
    [Mon Jan 11 08:29:02 EST 2021] d_api='/usr/local/pkg/acme/dnsapi/dns_duckdns.sh'
    [Mon Jan 11 08:29:02 EST 2021] dns_entry='yourDomain.duckdns.org,_acme-challenge.yourDomain.duckdns.org,,dns_duckdns,responseCode,/usr/local/pkg/acme/dnsapi/dns_duckdns.sh'
    [Mon Jan 11 08:29:02 EST 2021] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_duckdns.sh
    [Mon Jan 11 08:29:02 EST 2021] dns_duckdns_add exists=0
    [Mon Jan 11 08:29:02 EST 2021] Adding txt value: responseCode for domain:  _acme-challenge.yourDomain.duckdns.org
    [Mon Jan 11 08:29:02 EST 2021] APP
    [Mon Jan 11 08:29:02 EST 2021] 5:SAVED_DuckDNS_Token='yourToken'
    [Mon Jan 11 08:29:02 EST 2021] Trying to add TXT record
    [Mon Jan 11 08:29:02 EST 2021] param='domains=_acme-challenge.yourDomain.duckdns.org&token=yourToken&txt=responseCode'
    [Mon Jan 11 08:29:02 EST 2021] url='https://www.duckdns.org/update?domains=_acme-challenge.yourDomain.duckdns.org&token=yourToken&txt=responseCode'
    [Mon Jan 11 08:29:02 EST 2021] GET
    [Mon Jan 11 08:29:02 EST 2021] url='https://www.duckdns.org/update?domains=_acme-challenge.yourDomain.duckdns.org&token=yourToken&txt=responseCode
    [Mon Jan 11 08:29:02 EST 2021] timeout=
    [Mon Jan 11 08:29:02 EST 2021] Http already initialized.
    [Mon Jan 11 08:29:02 EST 2021] _CURL='curl -L --silent --dump-header /tmp/acme/pfsense//http.header  -g '
    [Mon Jan 11 08:29:03 EST 2021] ret='0'
    [Mon Jan 11 08:29:03 EST 2021] response='KO'
    [Mon Jan 11 08:29:03 EST 2021] Errors happened during adding the TXT record, response=KO
    [Mon Jan 11 08:29:03 EST 2021] Error add txt for domain:_acme-challenge.yourDomain.duckdns.org
    [Mon Jan 11 08:29:03 EST 2021] _on_issue_err
    

    Notice the response='KO'

    Per https://www.duckdns.org/spec.jsp that means "bad response".

    Something has changed and new version of Acme will fail.

    I switched over to using Dynu for now, no issue with it, so I know it's not Acme itself failing.

    Quick google search shows that there has been an API change at DuckDNS. Has to do with "sub domains".

    Leads you to https://github.com/acmesh-official/acme.sh/issues/2933

    Already tried the "--domain-alias mydomain.duckdns.org" as mentioned but same error.

    FYI to manually renew the cert:

    /usr/local/pkg/acme/acme.sh --issue -d 'yourDomain.duckdns.org' --dns 'dns_duckdns' --domain-alias 'yourDomain.duckdns.org' --home '/tmp/acme/pfsense/' --accountconf '/tmp/acme/pfsense/accountconf.conf' --force --reloadCmd '/tmp/acme/pfsense/reloadcmd.sh' --log-level 3 --log '/tmp/acme/pfsense/acme_issuecert.log'
    

  • I've managed to renew just using the regular method (ACME > DuckDNS) on the 29th of December 2020.
    Based on the other replies, tried it again today it fails using the above mentioned feedback.

    Running ACME 0.6.9_3

    DuckDNS
    Renewing certificate 
    account: Lets Encrypt Production ACMEv2 
    server: letsencrypt-production-2 
    
    /usr/local/pkg/acme/acme.sh  --issue  --domain 'userdomain.duckdns.org' --dns 'dns_duckdns'  --home '/tmp/acme/DuckDNS/' --accountconf '/tmp/acme/DuckDNS/accountconf.conf' --force --reloadCmd '/tmp/acme/DuckDNS/reloadcmd.sh' --ocsp-must-staple  --log-level 3 --log '/tmp/acme/DuckDNS/acme_issuecert.log'
    Array
    (
        [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
        [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
        [DuckDNS_Token] => 
    )
    [Tue Jan 12 18:59:01 CET 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Tue Jan 12 18:59:01 CET 2021] Single domain='userdomain.duckdns.org'
    [Tue Jan 12 18:59:01 CET 2021] Getting domain auth token for each domain
    [Tue Jan 12 18:59:04 CET 2021] Getting webroot for domain='userdomain.duckdns.org'
    [Tue Jan 12 18:59:04 CET 2021] Adding txt value: BpXXFuhE3WEEmo1FcN3djlY8cBCx7HwjsFCHX-FcN3djlY8cBCx7for domain:  _acme-challenge.userdomain.duckdns.org
    [Tue Jan 12 18:59:04 CET 2021] Trying to add TXT record
    [: : bad number
    [: : bad number
    [Tue Jan 12 18:59:05 CET 2021] Errors happened during adding the TXT record, response=KO
    [Tue Jan 12 18:59:05 CET 2021] Error add txt for domain:_acme-challenge.userdomain.duckdns.org
    [Tue Jan 12 18:59:05 CET 2021] Please check log file for more details: /tmp/acme/DuckDNS/acme_issuecert.log
    

    I'm going to check in the DuckDNS usergroup to find out what changed on their end.


  • I just tried, and got the same KO error through acme package in pfsense.

    <...>
    [Tue Jan 12 15:12:14 -03 2021] Trying to add TXT record
    [: : bad number
    [: : bad number
    [Tue Jan 12 15:12:16 -03 2021] Errors happened during adding the TXT record, response=KO
    [Tue Jan 12 15:12:16 -03 2021] Error add txt for domain:_acme-challenge.userdomain.duckdns.org
    [Tue Jan 12 15:12:16 -03 2021] Please check log file for more details: /tmp/acme/duckdns/acme_issuecert.log
    

  • Managed to update the dns_duckdns.sh which is included in the current package that is installed on my system (ACME 0.6.9_3) with the content of https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_duckdns.sh

    Which incorporates this regex fix: https://github.com/acmesh-official/acme.sh/commit/cee20c4eb96ec8ec3ad789ae5e3902689598b0ee

    Now the script runs flawlessly, does that mean that the package maintainer needs to pull this from the repository to permanently fix this issue?

    The updated script does not add _acme-challenge.userdomain.duckdns.org to the GET request for DuckDNS, it only uses the domain part "userdomain"


  • @alwindb This is a good question, I don't know how to proceed either..
    My last successfully renew was on the Oct 26th


  • @alwindb I did replace my dns_duckdns.sh with that file, and it worked..

    But I got some strange errors

    -----END CERTIFICATE-----
    [Tue Jan 12 17:00:56 -03 2021] Your cert is in  /tmp/acme/duckdns//userdomain.duckdns.org/userdomain.duckdns.org.cer 
    [Tue Jan 12 17:00:56 -03 2021] Your cert key is in  /tmp/acme/duckdns//userdomain.duckdns.org/userdomain.duckdns.org.key 
    [Tue Jan 12 17:00:56 -03 2021] The intermediate CA cert is in  /tmp/acme/duckdns//userdomain.duckdns.org/ca.cer 
    [Tue Jan 12 17:00:56 -03 2021] And the full chain certs is there:  /tmp/acme/duckdns//userdomain.duckdns.org/fullchain.cer 
    [Tue Jan 12 17:00:56 -03 2021] Run reload cmd: /tmp/acme/duckdns/reloadcmd.sh
    
    IMPORT CERT duckdns, /tmp/acme/duckdns/userdomain.duckdns.org/userdomain.duckdns.org.key, /tmp/acme/duckdns/userdomain.duckdns.org/userdomain.duckdns.org.cer
    update cert![Tue Jan 12 17:00:57 -03 2021] Reload success
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    [: : bad number
    

  • @alwindb said in DNS-DuckDNS does not renew:

    Now the script runs flawlessly, does that mean that the package maintainer needs to pull this from the repository to permanently fix this issue?

    The maintainer (jimp) will sync the pfsense acme package from that source. He doesn't do so every day, as there is more work as only copying the source in.

    Btw : funny : look who proposed the regex fix :

    4f4aaa75-2de3-46cf-8e32-53f9bcc1b841-image.png

    Coincidence ?