SWAG with DuckDNS and EXTRA_DOMAINS

Hi,

(note, these domains all are .org / .com, but discourse won’t let me post with links)

I’m trying to set up an additional subdomain to route through to my DuckDNS domain, mainly as a proof of concept prior to moving away from an existing hosted web provider. Existing set up with DuckDNS works perfectly, with a certificate generated for *.mydomain.duckdns.

What I’m now trying to set up is:

  • I have a separate subdomain, newsub.existingdomain
  • newsub.existingdomain is a CNAME for test.mydomain.duckdns
  • traffic to newsub.existingdomain hits nginx, and is proxied to test.mydomain.duckdns
  • accessing test.mydomain.duckdns works perfectly
  • accessing newsub.existingdomain, the browser complains of invalid SSL certificate because *.mydomain.duckdns doesn’t match newsub.existingdomain, and the certificate doesn’t mention newsub.existingdomain. If you manually click through the warning, it works.

I’ve added newsub.existingdomain in EXTRA_DOMAINS, recreated the container, verified it’s being picked up in the logs, and there are no error messages but I don’t see it being picked up in the challenges, and I don’t see it listed in the certificate. Am I doing something wrong, or is EXTRA_DOMAINS not supported with DuckDNS?

Snippet from docker-compose.yml:

swag:
environment:
- URL=subdomain.duckdns
- SUBDOMAINS=wildcard
- VALIDATION=duckdns
- DUCKDNSTOKEN=xxx
- EXTRA_DOMAINS=newsub.existingdomain

Snippet from swag log:

swag | EXTRA_DOMAINS entered, processing
swag | Extra domains processed are: -d newsub.existingdomain
swag | duckdns validation is selected
swag | the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns
swag | Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
swag | Saving debug log to /var/log/letsencrypt/letsencrypt.log
swag | No match found for cert-path /config/etc/letsencrypt/live/mydomain.duckdns/fullchain.pem!
swag | Generating new certificate
swag | Saving debug log to /var/log/letsencrypt/letsencrypt.log
swag | Plugins selected: Authenticator manual, Installer None
swag | Obtaining a new certificate
swag | Performing the following challenges:
swag | dns-01 challenge for mydomain.duckdns
swag | Running manual-auth-hook command: /app/duckdns-txt
swag | Output from manual-auth-hook command duckdns-txt:
swag | OKsleeping 60
swag |
swag | Error output from manual-auth-hook command duckdns-txt:
swag | % Total % Received % Xferd Average Speed Time Time Time Current
swag | Dload Upload Total Spent Left Speed
swag |
swag | 0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
swag | 100 2 0 2 0 0 2 0 --:–:-- --:–:-- --:–:-- 2
swag |
swag | Waiting for verification…
swag | Cleaning up challenges
swag | IMPORTANT NOTES:
swag | - Congratulations! Your certificate and chain have been saved at:

Thank you in advance,

duckdns validation has one big limitation. Duckdns service only lets you set one dns txt record for the account. Therefore, you can only validate one address with letsencrypt. When you set subdomains to wildcard, that address is *.customsubdomain.duckdns.org. Everything else in extra domains is ignored.

If you want multiple addresses covered with duckdns, you’ll have to use http validation, which allows multiple addresses, but no wildcard.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.