duckdns: Support wildcard certs for subdomains in DuckDNS addon (resolves #336) #3244
Conversation
![home-assistant[bot]](https://avatars.githubusercontent.com/in/97978?s=60&v=4){kind=small}
There was a problem hiding this comment.
It seems you haven't yet signed a CLA. Please do so here.
Once you do that we will be able to review and accept this pull request.
Thanks!
|
Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍 |
home-assistant
bot
added
cla-recheck
cla-signed
and removed
cla-recheck
cla-needed
labels
kyle-cackett
changed the title
|
Is this still required since #3152 added DuckDNS support in the Let's Encrypt add-on? From what I can see from #2662 (comment) the preferred way is to use Let's Encrypt for these type of situation 🤔 |
|
Looks like #3152 was merged ~30 minutes ago so I haven't yet had a chance to evaluate whether switching add-ons and using the latest build of Let's Encrypt would be an alternative solution to the current limitation in the DuckDNS add-on described in this PR.
Following this line of questioning, if DuckDNS support is now included in the Let's Encrypt add-on does that make the DuckDNS add-on redundant? If so perhaps the DuckDNS add-on should be deprecated and eventually discontinued entirely and users should be migrated to Let's Encrypt. If the DuckDNS plugin is here to stay, including the fix proposed in this PR would be nice since based on #336 some people are using this configuration which is leading to some frustration. Unrelated note: this fix could also be implemented without |
> Is this still required since #3152 added DuckDNS support in the Let's Encrypt add-on?I'm not sure. Will Let's Encrypt add-on support domains like *.xxx.duckdns.org? I will check after Let's Encrypt add-on release. |
|
dehydrated-io/dehydrated#554 and the dehydrated troubleshooting guide both specifically mention that API/DNS implementations such as employed by DuckDNS are considered broken and are not properly supported by dehyrated. As such I consider the Let's encrypt implementation using dehydrated in the DuckDNS addon inherently broken and agree with @mdegat01 in #2662 (comment) that support for aliases (including custom domains and wildcard DuckDNS domains) should be removed from the DuckDNS addon. I would even go one further and remove SSL support from the DuckDNS addon entirely and use the addon only for keeping a dynamic IP up to date, but maybe it's more sensible to keep the implementation only for the most basic of use cases (only for xxx.duckdns.org certs). I created #3152 in an effort to move DuckDNS DNS challenges to the Let's Encrypt addon as certbot and the certbot_duckdns plugin properly support the (bad) API implementation at DuckDNS. It should support both domains such as (*.)xxx.duckdns.org and (*.)custom.com Now that #3152 is merged maybe it's time to close this and reopen #2964? |
This PR resolves the issue described in this comment on issue #336 (copied below for convenience) which occurs when the domains array contains entries of the form
"*.xxx.duckdns.org > xxx.duckdns.org". This type of entry is used to obtain wildcard certificates from Let's Encrypt / dehydrated.The
sedsubstitution's/[^,]*[ > ]//g'matches all occurrences of strings which do not contain a,(so that after thejoin(",")at most one match is found per entry in the domain array) that end with the characters>and removes them leaving only valid domains according to the DuckDNS API. Note that this transformation will not impact Let's Encrypt because the$DOMAINSvariable is only used by DuckDNS. Thele_renewfunction grabs the domains from the config directly on line 23:https://github.com/home-assistant/addons/blob/72fac56dae57fe3573a1e568b248fa304cca2b1b/duckdns/data/run.sh#L23C1-L24C1
Testing
Added the following field to the json object in
/tmp/.bashio/addons.self.options.config.cacheRan the script and received the following output:
run.shfrom within the add-on. IP was correctly reset to my actual IP.