Dehydrated and duckdns

Thank you all for IPfire, fantastic project! Detailed below is an account of attempting to get the pakfire addon dehydrated to work with duckdns.org. I am trying to post a complete walkthrough but the community software keeps telling me I only post with 2 urls?

Thank you all for IPfire, fantastic project! Detailed below is an account of attempting to get the pakfire addon dehydrated to work with duckdns(dot)org. I have failed to find any detailed walkthroughs for IPfire + duckdns(dot)org + dehydrated… but did find some stuff for just duckdns(dot)org + dehydrated.


IPFire 2.25 (x86_64) - Core Update 144

Installed Addons: dehydrated


  1. Pakfire install of dehydrated via IPfire webgui appears to have successfully completed (no indications of failure and dehydrated is shown in the Installed Addons: webgui.

  1. Account created at duckdns(dot)org, IPfire Services --> Dynamic DNS properly configured and saved, and IPfire successfully displaying hostname in Current hosts webgui.

  1. Pinging xxxxxx.duckdns(dot)org name succeeds (name properly resolves to IP).

  1. SSH into IPfire and cd /etc/dehydrated and begin reading through the documentation at github(dot)com/dehydrated-io/dehydrated

  1. Edit domains.txt and add in proper domain name xxxxxx.duckdns(dot)org.

  1. Edit config and leave all as default except as detailed here then save and exit:
    IP_VERSION=4
    CA=“https:// acme-staging-v02.api.letsencrypt(dot)org/directory”
    CHALLENGETYPE=“dns-01”

  1. /usr/bin/dehydrated -e

# dehydrated configuration

# INFO: Using main config file /etc/dehydrated/config

declare – CA=“https:// acme-staging-v02.api.letsencrypt(dot)org/directory”

declare – CERTDIR="/etc/dehydrated/certs"

declare – ALPNCERTDIR="/etc/dehydrated/alpn-certs"

declare – CHALLENGETYPE=“dns-01”

declare – DOMAINS_D=""

declare – DOMAINS_TXT="/etc/dehydrated/domains.txt"

declare – HOOK="/etc/dehydrated/hook.sh"

declare – HOOK_CHAIN=“no”

declare – RENEW_DAYS=“30”

declare – ACCOUNT_KEY="/etc/dehydrated/accounts/xxxxxxxxxxxxxx"

declare – ACCOUNT_KEY_JSON="/etc/dehydrated/accounts/xxxxxxxxxxxxxx"

declare – ACCOUNT_ID_JSON="/etc/dehydrated/accounts/xxxxxxxxxxxxxx"

declare – KEYSIZE=“4096”

declare – WELLKNOWN="/var/www/dehydrated"

declare – PRIVATE_KEY_RENEW=“yes”

declare – OPENSSL_CNF="/etc/ssl/openssl.cnf"

declare – CONTACT_EMAIL=""

declare – LOCKFILE="/etc/dehydrated/lock"


  1. /usr/bin/dehydrated --register --accept-terms

# INFO: Using main config file /etc/dehydrated/config

  • Generating account key…

  • Registering account key with ACME server…

  • Fetching account ID…

  • Done!


  1. /usr/bin/dehydrated -c

# INFO: Using main config file /etc/dehydrated/config

Processing xxxxxx.duckdns(dot)org

  • Creating new directory /etc/dehydrated/certs/xxxxxx.duckdns(dot)org …

  • Signing domains…

  • Generating private key…

  • Generating signing request…

  • Requesting new certificate order from CA…

  • Received 1 authorizations URLs from the CA

  • Handling authorization for xxxxxxx.duckdns(dot)org

  • 1 pending challenge(s)

  • Deploying challenge tokens…

  • Responding to challenge for xxxxxx.duckdns(dot)org authorization…

  • Cleaning challenge tokens…

  • Challenge validation has failed :frowning:

ERROR: Challenge is invalid! (returned: invalid) (result: {

“type”: “dns-01”,

“status”: “invalid”,

“error”: {

“type”: “urn:ietf:params:acme:error:unauthorized”,

“detail”: “Incorrect TXT record “” found at _acme-challenge.xxxxxx.duckdns(dot)org”,

“status”: 403

},

“url”: “https:// acme-v02.api.letsencrypt(dot)org/acme/chall-v3/4979745397/C21hMg”,

“token”: “NQy31MzWLQYWRdN9sTtUX2nQ89DDPjUF5pME2K3tKv4”

})


  1. I believe the issue is I cannot figure out where / how to declare the TOKEN_FILENAME and TOKEN_VALUE for the hook.sh script that appears to be called by config.

  1. hook.sh

#!/usr/bin/env bash

deploy_challenge() {

local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"

# This hook is called once for every domain that needs to be

# validated, including any alternative names you may have listed.

#

# Parameters:

# - DOMAIN

# The domain name (CN or subject alternative name) being

# validated.

# - TOKEN_FILENAME

# The name of the file containing the token to be served for HTTP

# validation. Should be served by your web server as

# /.well-known/acme-challenge/${TOKEN_FILENAME}.

# - TOKEN_VALUE

# The token value that needs to be served for validation. For DNS

# validation, this is what you want to put in the _acme-challenge

# TXT record. For HTTP validation it is the value that is expected

# be found in the $TOKEN_FILENAME file.

# Simple example: Use nsupdate with local named

# printf ‘server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT “%s”\nsend\n’ “${DOMAIN}” “${TOKEN_VALUE}” | nsupdate -k /var/run/named/session.key

}


  1. I then edited config and simply added a line:

TOKEN_VALUE=“xxxxxxx-duckdns(dot)org-token-xxxxxxx”


  1. /usr/bin/dehydrated -c

# INFO: Using main config file /etc/dehydrated/config

Processing xxxxxx.duckdns(dot)org

  • Signing domains…

  • Generating private key…

  • Generating signing request…

  • Requesting new certificate order from CA…

  • Received 1 authorizations URLs from the CA

  • Handling authorization for xxxxxx.duckdns(dot)org

  • Found valid authorization for xxxxxx.duckdns(dot)org

  • 0 pending challenge(s)

  • Requesting certificate…

  • Checking certificate…

  • Done!

  • Creating fullchain.pem…

  • Done!


  1. Edit config to enable the real CA in place of the testing CA:

CA=“https:// acme-v02.api.letsencrypt(dot)org/directory”


  1. /usr/bin/dehydrated -c

# INFO: Using main config file /etc/dehydrated/config

Processing xxxxxx.duckdns(dot)org

  • Checking domain name(s) of existing cert… unchanged.

  • Checking expire date of existing cert…

  • Valid till Aug 31 21:00:07 2020 GMT Certificate will not expire

(Longer than 30 days). Skipping renew!


  1. check the /etc/dehydrated/certs directory and my domain is showing as a directory xxxxxx.duckdns(dot)org and in the xxxxxx.duckdns(dot)org directory is the following:

-rw------- 1 root root 1663 Jun 2 15:41 cert-1591134077.csr

-rw------- 1 root root 0 Jun 2 15:41 cert-1591134077.pem

-rw------- 1 root root 1663 Jun 2 15:52 cert-1591134739.csr

-rw------- 1 root root 0 Jun 2 15:52 cert-1591134739.pem

-rw------- 1 root root 1663 Jun 2 16:00 cert-1591135204.csr

-rw------- 1 root root 2224 Jun 2 16:00 cert-1591135204.pem

lrwxrwxrwx 1 root root 19 Jun 2 16:00 cert.csr -> cert-1591135204.csr

lrwxrwxrwx 1 root root 19 Jun 2 16:00 cert.pem -> cert-1591135204.pem

-rw------- 1 root root 1680 Jun 2 16:00 chain-1591135204.pem

lrwxrwxrwx 1 root root 20 Jun 2 16:00 chain.pem -> chain-1591135204.pem

-rw------- 1 root root 3904 Jun 2 16:00 fullchain-1591135204.pem

lrwxrwxrwx 1 root root 24 Jun 2 16:00 fullchain.pem -> fullchain-1591135204.pem

-rw------- 1 root root 3243 Jun 2 15:41 privkey-1591134077.pem

-rw------- 1 root root 3247 Jun 2 15:52 privkey-1591134739.pem

-rw------- 1 root root 3247 Jun 2 16:00 privkey-1591135204.pem

lrwxrwxrwx 1 root root 22 Jun 2 16:00 privkey.pem -> privkey-1591135204.pem


How do I get IPfire to (automatically) use the newly issued LetyEncrypt certs, please?

1 Like

Hello DH - welcome to the IPFire Community!

As you use the Community (reading, posting, etc.) you’ll be able to do more & more.

FYI - for the code (or code-like) sections, feel free to add 3 back ticks before and after. That will place the code into a code block.

Example:
7. /usr/bin/dehydrated -e

# dehydrated configuration
# INFO: Using main config file /etc/dehydrated/config
declare – CA=“https:// acme-staging-v02.api.letsencrypt(dot)org/directory”
declare – CERTDIR="/etc/dehydrated/certs"
declare – ALPNCERTDIR="/etc/dehydrated/alpn-certs"
declare – CHALLENGETYPE=“dns-01”
declare – DOMAINS_D=""
...

Sorry I don’t have an answer about dehydrated. But it is something I am interested in and hope to learn more from your experience.

1 Like

Jon,

Thank you very much for the “3 back ticks” recommendation… that is exactly what I was looking for!

If you want you can click on the pencil (at bottom of your post) and edit your original post. Up to you…


Screen Shot 2020-06-04 at 3.56.02 PM

Do not see that option… please see image below:

Hmm! that is just weird! My quick wild guess is that an edit can only be done within the first 24 hours of the original post. I’ll ask the admin to make sure…

Afaik two things are involved. The default setting 24h and your trust level. So if i remember correct default and trust level new/basic user are 24h. and there is a setting 30 days but i forgot what trust level is needed.

Edit:

Hehe @jon thats the funny part, i see you post it on your own a few days ago :wink:

Hey! That is the document I was just searching for!!

Trust Level 0 — New

By default, all new users start out at trust level 0, meaning trust has yet to be earned. These are visitors who just created an account, and are still learning the community norms and the way your community works. New users’ abilities are restricted for safety.

Users at trust level 0 cannot

  • Edit their own posts after more than 24 hours