Lets Encrypt & DuckDNS - Cert does not exist!

I have problems with the swag container when creating the certificate. According to the log there is no certificate, although it says that it was created before:

Log

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=sub.duckdns.org
SUBDOMAINS=
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=duckdns
DNSPLUGIN=duckdns
EMAIL=
STAGING=

No subdomains defined
No e-mail address entered or address invalid
duckdns validation is selected
the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Registering without email!
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for sub.duckdns.org
Running manual-auth-hook command: /app/duckdns-txt
Output from manual-auth-hook command duckdns-txt:
OKsleeping 60

Error output from manual-auth-hook command duckdns-txt:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
100 2 0 2 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0
100 2 0 2 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0

Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sub.duckdns.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sub.duckdns.org/privkey.pem
Your cert will expire on 2020-11-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct.

Config

/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create
--name=‚swag'
--net=‚proxy‘
-e TZ="Europe/Berlin“
-e HOST_OS=„Unraid"
-e 'URL‘=‚sub.duckdns.org'
-e 'DHLEVEL'=‚2048'
-e 'ONLY_SUBDOMAINS'=‚true'
-e 'VALIDATION'=‚duckdns'
-e 'DUCKDNSTOKEN‘=‚token'
-e 'PUID'=’99'
-e 'PGID'=‚100'
-e 'DNSPLUGIN'=‚duckdns'
-e 'SUBDOMAINS'=‚'
-p ‚port:port/tcp‘
-v '/mnt/user/appdata/swag':'/config':’rw'
--cap-add=NET_ADMIN
'linuxserver/swag' 

I had success when I set SUBDOMAINS to wildcard, but the certificate is then issued to *.sub.duckdns.org, which of course leads to a security warning in the browser.

DUCKDNSTOKEN seems to be passed correctly, because the token appears in /config/donoteditthisfile.conf

DNSPLUGIN isn’t needed.

Use wildcard for SUBDOMAINS.

You can’t generate a cert for sub.duckdns.org AND service.sub.duckdns.org but using the wildcard option you can still access www.sub.duckdns.org if you please. I don’t think ONLY_SUBDOMAINS is required either as I don’t use it myself.

It works with using wildcard and I get no error in swag log but like I wrote before this sets the common name of the certificate to *.sub.duckdns.org and not sub.duckdns.org.

That’s because you can’t generate certs for both subdomain and the main domain using duckdns.

So you either have one for sub.duckdns.org or *.sub.duckdns.org and access your main domain using www.sub.duckdns.org

Have you tried runnig this with the ONLY_SUBDOMAINS option set to false?

Setting ONLY_SUBDOMAINS to false I get the same error as before.

Well good luck in your search for a solution.

Here’s part of my compose file if it can help any.

https://pastebin.ubuntu.com/p/YppKBK3JND/

That limitation is explained in detail in the readme. As ChiefMedicalOfficer stated, the cert covers all subsubdomains, so you can use the www sub for the homepage

After serval retries I finally got it to work. I don’t know why it works now but I deleted the SUBDOMAIN wildcard variable after the *. certificate what created successfully. Now I have a new cert that has sub.duckdns.org as the common name.

If you told us exactly what you were trying to achieve it would be easier to help.
If you were trying to get a cert that covers only your custom duckdns address and no subdomains for it, then your initial issue was that you set only_subdomains to true while you did not enter any subdomains. So for the url only cert, set only_subdomains to false, and leave subdomains blank.

I never wrote anything about additional subdomains. I just wanted to have a cert for one specific duckdns domain I created. Maybe the name sub was a bit misleading.
It also made sense to me that not setting Subdomains should be the right option for this case but starting the container for the first time like this, I still ran into this error.

That’s because you set the var ONLY_SUBDOMAINS to true, which tells the container to cover all the subdomains listed in the SUBDOMAINS var, but not the main URL entered.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.