Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS-DuckDNS does not renew

    Scheduled Pinned Locked Moved ACME
    14 Posts 6 Posters 4.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcury @williamrolison
      last edited by

      Can you share more details about the errors you are getting?
      My cert will expire soon

      W 1 Reply Last reply Reply Quote 0
      • W
        williamrolison @mcury
        last edited by

        @mcury said in DNS-DuckDNS does not renew:

        Can you share more details about the errors you are getting?
        My cert will expire soon

        When DuckDNS cert goes to renew, it fails:

        [Mon Jan 11 08:29:02 EST 2021] d='yourDomain.duckdns.org'
[Mon Jan 11 08:29:02 EST 2021] _d_alias
[Mon Jan 11 08:29:02 EST 2021] txtdomain='_acme-challenge.yourDomain.duckdns.org'
[Mon Jan 11 08:29:02 EST 2021] base64 single line.
[Mon Jan 11 08:29:02 EST 2021] txt='responseCode'
[Mon Jan 11 08:29:02 EST 2021] d_api='/usr/local/pkg/acme/dnsapi/dns_duckdns.sh'
[Mon Jan 11 08:29:02 EST 2021] dns_entry='yourDomain.duckdns.org,_acme-challenge.yourDomain.duckdns.org,,dns_duckdns,responseCode,/usr/local/pkg/acme/dnsapi/dns_duckdns.sh'
[Mon Jan 11 08:29:02 EST 2021] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_duckdns.sh
[Mon Jan 11 08:29:02 EST 2021] dns_duckdns_add exists=0
[Mon Jan 11 08:29:02 EST 2021] Adding txt value: responseCode for domain:  _acme-challenge.yourDomain.duckdns.org
[Mon Jan 11 08:29:02 EST 2021] APP
[Mon Jan 11 08:29:02 EST 2021] 5:SAVED_DuckDNS_Token='yourToken'
[Mon Jan 11 08:29:02 EST 2021] Trying to add TXT record
[Mon Jan 11 08:29:02 EST 2021] param='domains=_acme-challenge.yourDomain.duckdns.org&token=yourToken&txt=responseCode'
[Mon Jan 11 08:29:02 EST 2021] url='https://www.duckdns.org/update?domains=_acme-challenge.yourDomain.duckdns.org&token=yourToken&txt=responseCode'
[Mon Jan 11 08:29:02 EST 2021] GET
[Mon Jan 11 08:29:02 EST 2021] url='https://www.duckdns.org/update?domains=_acme-challenge.yourDomain.duckdns.org&token=yourToken&txt=responseCode
[Mon Jan 11 08:29:02 EST 2021] timeout=
[Mon Jan 11 08:29:02 EST 2021] Http already initialized.
[Mon Jan 11 08:29:02 EST 2021] _CURL='curl -L --silent --dump-header /tmp/acme/pfsense//http.header  -g '
[Mon Jan 11 08:29:03 EST 2021] ret='0'
[Mon Jan 11 08:29:03 EST 2021] response='KO'
[Mon Jan 11 08:29:03 EST 2021] Errors happened during adding the TXT record, response=KO
[Mon Jan 11 08:29:03 EST 2021] Error add txt for domain:_acme-challenge.yourDomain.duckdns.org
[Mon Jan 11 08:29:03 EST 2021] _on_issue_err

        Notice the response='KO'

        Per https://www.duckdns.org/spec.jsp that means "bad response".

        Something has changed and new version of Acme will fail.

        I switched over to using Dynu for now, no issue with it, so I know it's not Acme itself failing.

        Quick google search shows that there has been an API change at DuckDNS. Has to do with "sub domains".

        Leads you to https://github.com/acmesh-official/acme.sh/issues/2933

        Already tried the "--domain-alias mydomain.duckdns.org" as mentioned but same error.

        FYI to manually renew the cert:

        /usr/local/pkg/acme/acme.sh --issue -d 'yourDomain.duckdns.org' --dns 'dns_duckdns' --domain-alias 'yourDomain.duckdns.org' --home '/tmp/acme/pfsense/' --accountconf '/tmp/acme/pfsense/accountconf.conf' --force --reloadCmd '/tmp/acme/pfsense/reloadcmd.sh' --log-level 3 --log '/tmp/acme/pfsense/acme_issuecert.log'
        1 Reply Last reply Reply Quote 1
        • A
          AlwindB
          last edited by

          I've managed to renew just using the regular method (ACME > DuckDNS) on the 29th of December 2020.
          Based on the other replies, tried it again today it fails using the above mentioned feedback.

          Running ACME 0.6.9_3

          DuckDNS
Renewing certificate 
account: Lets Encrypt Production ACMEv2 
server: letsencrypt-production-2 

/usr/local/pkg/acme/acme.sh  --issue  --domain 'userdomain.duckdns.org' --dns 'dns_duckdns'  --home '/tmp/acme/DuckDNS/' --accountconf '/tmp/acme/DuckDNS/accountconf.conf' --force --reloadCmd '/tmp/acme/DuckDNS/reloadcmd.sh' --ocsp-must-staple  --log-level 3 --log '/tmp/acme/DuckDNS/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [DuckDNS_Token] => 
)
[Tue Jan 12 18:59:01 CET 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Jan 12 18:59:01 CET 2021] Single domain='userdomain.duckdns.org'
[Tue Jan 12 18:59:01 CET 2021] Getting domain auth token for each domain
[Tue Jan 12 18:59:04 CET 2021] Getting webroot for domain='userdomain.duckdns.org'
[Tue Jan 12 18:59:04 CET 2021] Adding txt value: BpXXFuhE3WEEmo1FcN3djlY8cBCx7HwjsFCHX-FcN3djlY8cBCx7for domain:  _acme-challenge.userdomain.duckdns.org
[Tue Jan 12 18:59:04 CET 2021] Trying to add TXT record
[: : bad number
[: : bad number
[Tue Jan 12 18:59:05 CET 2021] Errors happened during adding the TXT record, response=KO
[Tue Jan 12 18:59:05 CET 2021] Error add txt for domain:_acme-challenge.userdomain.duckdns.org
[Tue Jan 12 18:59:05 CET 2021] Please check log file for more details: /tmp/acme/DuckDNS/acme_issuecert.log

          I'm going to check in the DuckDNS usergroup to find out what changed on their end.

          M 1 Reply Last reply Reply Quote 0
          • M
            mcury @AlwindB
            last edited by

            I just tried, and got the same KO error through acme package in pfsense.

            <...>
[Tue Jan 12 15:12:14 -03 2021] Trying to add TXT record
[: : bad number
[: : bad number
[Tue Jan 12 15:12:16 -03 2021] Errors happened during adding the TXT record, response=KO
[Tue Jan 12 15:12:16 -03 2021] Error add txt for domain:_acme-challenge.userdomain.duckdns.org
[Tue Jan 12 15:12:16 -03 2021] Please check log file for more details: /tmp/acme/duckdns/acme_issuecert.log
            1 Reply Last reply Reply Quote 0
            • A
              AlwindB
              last edited by AlwindB

              Managed to update the dns_duckdns.sh which is included in the current package that is installed on my system (ACME 0.6.9_3) with the content of https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_duckdns.sh

              Which incorporates this regex fix: https://github.com/acmesh-official/acme.sh/commit/cee20c4eb96ec8ec3ad789ae5e3902689598b0ee

              Now the script runs flawlessly, does that mean that the package maintainer needs to pull this from the repository to permanently fix this issue?

              The updated script does not add _acme-challenge.userdomain.duckdns.org to the GET request for DuckDNS, it only uses the domain part "userdomain"

              M GertjanG R 4 Replies Last reply Reply Quote 2
              • M
                mcury @AlwindB
                last edited by

                @alwindb This is a good question, I don't know how to proceed either..
                My last successfully renew was on the Oct 26th

                1 Reply Last reply Reply Quote 0
                • M
                  mcury @AlwindB
                  last edited by mcury

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @AlwindB
                    last edited by

                    @alwindb said in DNS-DuckDNS does not renew:

                    Now the script runs flawlessly, does that mean that the package maintainer needs to pull this from the repository to permanently fix this issue?

                    The maintainer (jimp) will sync the pfsense acme package from that source. He doesn't do so every day, as there is more work as only copying the source in.

                    Btw : funny : look who proposed the regex fix :

                    4f4aaa75-2de3-46cf-8e32-53f9bcc1b841-image.png

                    Coincidence ?

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    M 1 Reply Last reply Reply Quote 2
                    • M
                      markiper @Gertjan
                      last edited by markiper

                      @gertjan , this post solved my issue. Not sure it is the best/correct way, but at least will buy me some time as my certificate was expiring at the end of this month.

                      1 Reply Last reply Reply Quote 0
                      • R
                        regexaurus @AlwindB
                        last edited by regexaurus

                        @alwindb said in DNS-DuckDNS does not renew:

                        Managed to update the dns_duckdns.sh...
                        ...Now the script runs flawlessly...

                        I'm surprised this hasn't yet been resolved in the current/published package. Thanks for that! I'm running the current acme 0.6.9_3 package on pfSense 2.5.1 and encountered the same problem today. Updating dns_duckdns.sh as you indicated worked here. For others who may need a little more help:

                        TLDR: copy/paste the following command (string of commands) to the Execute Shell Command textbox in the pfSense web gui (Diagnostics > Command Prompt) and click the Execute button.

                        mv /usr/local/pkg/acme/dnsapi/dns_duckdns.sh /usr/local/pkg/acme/dnsapi/dns_duckdns.pkgnew; curl -o /usr/local/pkg/acme/dnsapi/dns_duckdns.sh https://raw.githubusercontent.com/acmesh-official/acme.sh/master/dnsapi/dns_duckdns.sh; chmod 555 /usr/local/pkg/acme/dnsapi/dns_duckdns.sh

                        • Backup pfSense before doing anything else. This should go without saying, but the force is strong with root/admin SSH access to your pfSense install, and you can bork your pfSense if you're not careful.

                        • Enable Secure Shell Server (ssh) in your pfSense install, if not already enabled. See the Secure Shell section in System > Advanced.

                        • Use something like PuTTY or the Ubuntu/Bash shell for WSL, if you use Windows, Terminal on macOS, xterm or similar on Linux, and connect to your pfSense: ssh admin@pfSense_IP_address_or_hostname
                          where pfSense_IP_address_or_hostname is an IP address or resolvable hostname for your pfSense, and where admin is the username for an administrator on your pfSense. Enter the admin password when prompted.

                        • Enter 8 (for Shell) to get to a command line interface

                        • Enter the command cd /usr/local/pkg/acme/dnsapi

                        • Enter the command mv dns_duckdns.sh dns_duckdns.pkgnew
                          This renames dns_duckdns.sh so you can quickly revert to the original script, if needed.

                        • Enter the command vi dns_duckdns.sh
                          This will create a new file using the vi editor (you will see a lot of ~ characters on the left. Type i to enter insert/entry mode. Select and copy all the text at https://raw.githubusercontent.com/acmesh-official/acme.sh/master/dnsapi/dns_duckdns.sh
                          Paste the copied text in vi. If you use Windows, this can usually be accomplished by right-clicking in the ssh client (e.g. PuTTY) window (while in vi insert/entry mode). Press the Esc key to enter vi command mode, then type :wq to save (write) the file and close (quit) vi.

                        • Enter the command chmod 555 dns_duckdns.sh to make the replacement script executable.

                        • You can enter the command ls -l duckdns to confirm that read/write/execute permissions are identical for the original and replacement scripts.

                        • For good measure, try the command diff dns_duckdns.sh dns_duckdns.pkgnew
                          This will show you differences between the original and replacement scripts. This can help you confirm you created the replacement script correctly. This can also help you be reasonably certain the replacement script does nothing malicious, though you probably should have done some due diligence before getting this far anyway. The point is that you shouldn't copy/add/replace scripts on your pfSense without understanding the potential security implications.

                        • Enter the command exit, then type/select 0 (to logout).

                        Try requesting/renewing your DuckDNS certificate(s) in the pfSense gui. The process can take several minutes. Be patient and good luck!

                        GertjanG 1 Reply Last reply Reply Quote 3
                        • GertjanG
                          Gertjan @regexaurus
                          last edited by

                          πŸ‘ @regexaurus

                          Alternative ways to kill the duck-bug :

                          Instead of the always needed SSH - so ok to have it set up ones : use the classic console access, as this should work to.

                          Or : install the System_Patches pfSense package, which exists for doing just that.
                          Now, if we can get our hand on raw the diff file (and get the paths correctly) its just a question of copying the commit ID URL and two more clicks (patching without a keyboard).

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.