So I’ve spent the better part of two days trying to figure out why in the gods name is the latest swag image simply unable to work together with duckdns/certbot.

There’s a variety of different errors, but they go along the lines of;

apps:~# docker compose up
[+] Running 1/0
 ✔ Container swag  Created                                                                                             0.0s 
Attaching to swag
swag  | [migrations] started
swag  | [migrations] 01-nginx-site-confs-default: skipped
swag  | [migrations] done
swag  | usermod: no changes
swag  | ───────────────────────────────────────
swag  | 
swag  |       ██╗     ███████╗██╗ ██████╗
swag  |       ██║     ██╔════╝██║██╔═══██╗
swag  |       ██║     ███████╗██║██║   ██║
swag  |       ██║     ╚════██║██║██║   ██║
swag  |       ███████╗███████║██║╚██████╔╝
swag  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
swag  | 
swag  |    Brought to you by linuxserver.io
swag  | ───────────────────────────────────────
swag  | 
swag  | To support the app dev(s) visit:
swag  | Certbot: https://supporters.eff.org/donate/support-work-on-certbot
swag  | 
swag  | To support LSIO projects visit:
swag  | https://www.linuxserver.io/donate/
swag  | 
swag  | ───────────────────────────────────────
swag  | GID/UID
swag  | ───────────────────────────────────────
swag  | 
swag  | User UID:    1000
swag  | User GID:    1000
swag  | ───────────────────────────────────────
swag  | 
swag  | using keys found in /config/keys
swag  | chown: cannot dereference '/config/keys/letsencrypt': No such file or directory
swag  | **** Permissions could not be set. This is probably because your volume mounts are remote or read-only. ****
swag  | **** The app may not work properly and we will not provide support for it. ****
swag  | Variables set:
swag  | PUID=1000
swag  | PGID=1000
swag  | TZ=Etc/UTC
swag  | URL=mydomain.duckdns.org
swag  | ONLY_SUBDOMAINS=false
swag  | VALIDATION=duckdns
swag  | DNSPLUGIN=duckdns
swag  | EMAIL=
swag  | STAGING=true
swag  | 
swag  | the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org
swag  | NOTICE: Staging is active
swag  | Using Let's Encrypt as the cert provider
swag  | No e-mail address entered or address invalid
swag  | dns validation via duckdns plugin is selected
swag  | Generating new certificate
swag  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
swag  | Requesting a certificate for mydomain.duckdns.org
swag  | Unsafe permissions on credentials configuration file: /config/dns-conf/duckdns.ini
swag  | Unsafe permissions on credentials configuration file: /config/dns-conf/duckdns.ini
swag  | Waiting 30 seconds for DNS changes to propagate
swag  | 
swag  | Certbot failed to authenticate some domains (authenticator: dns-duckdns). The Certificate Authority reported these problems:
swag  |   Domain: mydomain.duckdns.org
swag  |   Type:   unauthorized
swag  |   Detail: Incorrect TXT record "" found at _acme-challenge.mydomain.duckdns.org
swag  | 
swag  | Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-duckdns. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-duckdns-propagation-seconds (currently 30 seconds).
swag  | 
swag  | Some challenges have failed.
swag  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
swag  | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/duckdns.ini file.

I initially tried setting things up in a debian lxc, but that didn’t work.
So I figured I’d try an alpine lxc. Still doesn’t work.
I’ve tried to give more propagation time. Didn’t work: Up to 120 seconds.

I’ve tried creating necessary files to make things work, I’ve opened up all the necessary ports, and yet, here we are.

Sample config here:

    image: lscr.io/linuxserver/swag:latest
    container_name: swag
      - NET_ADMIN
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - URL=mydomain.duckdns.org
      - VALIDATION=duckdns
      - DNSPLUGIN=duckdns
      - STAGING=true
      - ${PWD-.}/swag:/config
      - 443:443
      - 80:80 #optional
    restart: unless-stopped

This issue has been solved.

The problem had to do with permissions (Thanks, j0nnymoe), and by creating a dummy user and designating the PUID/PGID to those of that user, the situation is solved at least for this part.