Duckdns plugin ignoring override_domain

1. Caddy version (caddy version):

2.4.5

2. How I run Caddy:

FROM caddy:builder AS builder

RUN xcaddy build --with github.com/caddy-dns/duckdns

FROM caddy

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

a. System environment:

Docker

b. Command:

docker-compose up -d

c. Service/unit/compose file:

  web:
    build: .
    container_name: caddy
    restart: always
    ports:
      - 4433:443
      - 8080:80
    depends_on:
      - app
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./data/caddy:/data
      - ./data/nextcloud:/var/www/html

d. My complete Caddyfile or JSON config:

https://cnamed.example.com {
        root    * /var/www/html
        file_server

        php_fastcgi app:9000
        header {
                # enable HSTS
                Strict-Transport-Security max-age=31536000;
        }

        tls {
                dns duckdns <token> {
                        override_domain target.duckdns.org
                }
        }
}

3. The problem I’m having:

DNS provider module duckdns simply ignores override_domain directive value and always tries to resolve DSN challenge for the cnamed.example.com in order to obtain the certificate. You can even enter an invalid/inexistent domain in override_domain.

4. Error messages and/or full log output:

{"level":"info","ts":1633315191.8570213,"logger":"tls.obtain","msg":"acquiring lock","identifier":"cnamed.example.com"}
{"level":"info","ts":1633315191.8588457,"logger":"tls.obtain","msg":"lock acquired","identifier":"cnamed.example.com"}
{"level":"info","ts":1633315191.8608518,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["cnamed.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1633315191.8608882,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["cnamed.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1633315193.3277087,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cnamed.example.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1633315226.706257,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cnamed.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[cnamed.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.cnamed.example.com: read tcp 172.30.0.6:36558->67.220.81.190:53: read: connection reset by peer (order=https://acme-v02.api.letsencrypt.org/acme/order/225224480/29273576080) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
{"level":"warn","ts":1633315226.7092607,"logger":"tls.issuance.zerossl","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
{"level":"info","ts":1633315227.5924022,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"6bbiQELeoh_LlUMj-VuEqg"}
{"level":"info","ts":1633315228.7496998,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["cnamed.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1633315228.7497928,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["cnamed.example.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":""}
{"level":"info","ts":1633315229.1259007,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cnamed.example.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1633315350.3283684,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cnamed.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"[cnamed.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme.zerossl.com/v2/DV90/order/fEzJ1uup98HzO5VsC__tWg) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1633315350.328522,"logger":"tls.obtain","msg":"will retry","error":"[cnamed.example.com] Obtain: [cnamed.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme.zerossl.com/v2/DV90/order/fEzJ1uup98HzO5VsC__tWg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":158.469637984,"max_duration":2592000}
{"level":"info","ts":1633315411.927088,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"cnamed.example.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1633315533.0962706,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"cnamed.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[cnamed.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/28734698/683976318) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}

5. What I already tried:

Don’t know what to do… It works with duckdns.org subdomains but not with cname domains.

6. Links to relevant resources:

caddy-dns/duckdns: Caddy module: dns.providers.duckdns - https://github.com/

Do you have a CNAME record from _acme-challenge.cnamed.example.com to target.duckdns.org as explained in the README?

Do you see the TXT entry being changed on your DuckDNS domain when Caddy is trying to solve the DNS challenge?

You can run dig target.duckdns.org TXT to check if the records are there.

You could also make a request to https://www.duckdns.org/update?domains=target.duckdns.org&token=<token>&verbose=true to check as well.

1 Like

It worked! Can’t believe I forgot this part :frowning:
Thanks for your prompt help and thanks for such an amazing piece of software! Caddy rocks!!!

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.