Problems getting certificates for Namecheap Domains

Decided to stop using Duckdns due to some recent issues with Google Assistant that a lot of people on Home Assistant seemed to be having. Personally, not convinced it was duckdns - I think it was a Google Assistant issue.

Anyway, I had a ‘spare’ domain lying around and I decided I’d try and set that up to point to my home Home Assistant server.

Never done this before and not 100% sure what the hell I am doing with this TBH as I’ve never hosted a domain on a home server before and I could have screwed something up.

Anyway, at Namecheap, I configured the A and AAAA records for my domain and also added a CNAME record… Looks like this:

On my router I also had to add the new domain to a DNS rebind protection list. I also only use IPv6 for this domain - I only have the port opened on my router for IPv6 and that is opened to the server. This also works fine with duckdns… I have never updated the IPv4 address at duckdns. It is port 443 that is opened. I also got the namecheap api key.

So I have a bunch of sub-domains in my caddyfile.

Anyway, yesterday, I downloaded a caddy with the namecheap and duckdns plugins in it and I configured my caddy settings with the environment variables and added the new domains and subdomains to my caddyfile.

Started the caddy addon in home assistant and it seems happy.

But for each and every domain, I get a string of these:

2019/09/13 09:36:39 [INFO] [] acme: Waiting for DNS record propagation.
2019/09/13 09:36:54 [INFO] [] acme: Waiting for DNS record propagation.
2019/09/13 09:37:09 [INFO] [] acme: Waiting for DNS record propagation.
2019/09/13 09:37:25 [INFO] [] acme: Waiting for DNS record propagation.

Goes on for 15 minutes or longer then I’ll see this:

2019/09/13 09:16:33 [INFO] nonce error retry: acme: error: 400 :: POST :: :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "0001vmrGMAM85RhhduqkKZiO7RctKatXzovN6Yl8-cec_8k", url: 

and then the certificate is issued and it moves on to the next one…

The duckdns ones seem to scream right through thougy taking seconds.

Am I doing something wrong here? Do I need to change my DNS records?

Hi @DavidFW1960, just to check - are you only seeing this behaviour with the domains where DNS is hosted by namecheap?

Caddy v1 imports its DNS provider plugins from go-acme/lego, so it’s possible there’s an issue upstream for this one.

Yes - I also have Duckdns ones and they seem to go straight through.
Despite the error, all certificates were issues and working now. Caddy said waiting for DNS propagation and it took 30 mins of retries for each domain so it was a slow process and then because Caddy was generating certificates, none of my domains could be accessed until it had all the certificates finished. Fortunately I had ip address access…

On the weekend I added another Namecheap registered domain and it started doing the same 30 minute thing. I then had a thought - the TTL was set to 30 minutes… what if I changed the TTL to 1 minute? As soon as I did that, the subdomains then took 1 minute each to generate the certificate. Also the nonce errors disappeared. I have since set the TTL bacl to 30 mins and I don’t think that will cause any issues when it renews but I guess I will see in 60 days. Leaving the TTL at 1 minute seems to have cause issues where the domain may be unavailable for a minute or so so I shall see what happens with it set back to 30. It was a new domain though so maybe it needs a couple of days for full DNS propagation… anyway, interesting.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.