Hello,
I have a pfsense installation that is running acme. On this installation, I was able to create a single certification with duckdns that cover the following:
a.duckdns.org
*.a.duckdns.org
b.duckdns.org
*.b.duckdns.org
How can I replicate this with swag?
Here’s how it’s setup in pfsense acme
Thank you
Here’s the certificate
The SWAG container readme says exactly how to do this, do you have a more specific question or perhaps I have misunderstood?
No, the swag container says it cannot do this for duckdns.org.
Also, in the doc, it says that “extra_domains” is ignored for duckdns. And I cannot have a wildcards certs and multiple main domains like I want. So it cannot be done right now. If it is, please tell me where in the doc it says I can do it with duckdns and how to do it, I’ll be just happy XD
Thanks
a.duckdns.org
*.a.duckdns.org
b.duckdns.org
*.b.duckdns.org
I misread those to be a.thing.duckdns.org and b.thing.duckdns.org, my mistake. you are correct that you cannot do that with duckdns.
I’m not seeing where we wrote this?
Note: I do not and have not ever used duckdns so anything i say is purely from reading (which depending on time of day had a large skill fluctuation)
I would say just buy a domain name and use cloudflare to avoid the limitations of duckdns, but i understand that isn’t possible for everyone.
looks like you are correct on extra_domains
docker-swag/run at master · linuxserver/docker-swag (github.com)
Thing is, it’s not a duckdns limitation cause I do have a cert that do that (see screenshot). I did it with ACME on pfsense using DNS Duckdns as validation. My cert is multiple domain, wildcards + main domain like I want.
As for the ignore, I got it from another thread (my bad on bad reference)
One of our teammembers is checking if the duckdns certbot plugin will allow it since a single duckdns account can have 5 primary subdomains.
As to the limitation, I can’t speak to that. If you have example of how to do it with certbot using the duckdns plugin, please share those and we can try to utilize that in our code.
To be honest I don’t know. I know that ACME plugin can do it in pfsense. But it seems it require my token for each entry (I can in fact select different method for each entry for the same cert). I don’t know how it’s doing it, but I did find this:
edit: Also in the certbot duckdns plugin, under usage
Note: You cannot create certificates for multiple DuckDNS domains with one certbot call. This is because DuckDNS only allows one TXT record. If certificates for several domains should be created at the same time, then the same number of distinct DNS TXT records must be created. To solve the problem, you simply have to make a separate certbot call for each domain.
Is this a feature that ended up being implemented? I’m hoping to do the same on my end.
No, it’s still a duckdns implementation where it only allows setting one TXT record.
If you manually run certbot, running it a few times back to back will sometimes work because it will use cached TXT records from before, but it’s a hack and it’s unreliable. Not something we would implement in an automated system.
It’s easy enough to use *.blah.duckdns.org only as you can put in a 301 redirect for blah.duckdns.org --> www.blah.duckdns.org and use that instead of naked
Wow that was a quick reply, thanks 
I was more interested in having two separate DuckDNS wildcard domains registered under the same DuckDNS account (e.g. *.x.duckdns.org and *.y.duckdns.org) on the same cert via swag if that’s possible!
that’s possible via extra domains
EDIT: I think. I haven’t tried it and I don’t recall if the single TXT record limitation is per domain or per user
Unfortunately doesn’t seem to be possible to do this with SWAG, just an update for anyone looking here in the future.