Thank you all for IPfire, fantastic project! Detailed below is an account of attempting to get the pakfire addon dehydrated to work with duckdns.org. I am trying to post a complete walkthrough but the community software keeps telling me I only post with 2 urls?
Thank you all for IPfire, fantastic project! Detailed below is an account of attempting to get the pakfire addon dehydrated to work with duckdns(dot)org. I have failed to find any detailed walkthroughs for IPfire + duckdns(dot)org + dehydrated⌠but did find some stuff for just duckdns(dot)org + dehydrated.
IPFire 2.25 (x86_64) - Core Update 144
Installed Addons: dehydrated
- Pakfire install of dehydrated via IPfire webgui appears to have successfully completed (no indications of failure and dehydrated is shown in the Installed Addons: webgui.
- Account created at duckdns(dot)org, IPfire Services --> Dynamic DNS properly configured and saved, and IPfire successfully displaying hostname in Current hosts webgui.
- Pinging xxxxxx.duckdns(dot)org name succeeds (name properly resolves to IP).
- SSH into IPfire and cd /etc/dehydrated and begin reading through the documentation at github(dot)com/dehydrated-io/dehydrated
- Edit domains.txt and add in proper domain name xxxxxx.duckdns(dot)org.
- Edit config and leave all as default except as detailed here then save and exit:
IP_VERSION=4
CA=âhttps:// acme-staging-v02.api.letsencrypt(dot)org/directoryâ
CHALLENGETYPE=âdns-01â
- /usr/bin/dehydrated -e
# dehydrated configuration
# INFO: Using main config file /etc/dehydrated/config
declare â CA=âhttps:// acme-staging-v02.api.letsencrypt(dot)org/directoryâ
declare â CERTDIR="/etc/dehydrated/certs"
declare â ALPNCERTDIR="/etc/dehydrated/alpn-certs"
declare â CHALLENGETYPE=âdns-01â
declare â DOMAINS_D=""
declare â DOMAINS_TXT="/etc/dehydrated/domains.txt"
declare â HOOK="/etc/dehydrated/hook.sh"
declare â HOOK_CHAIN=ânoâ
declare â RENEW_DAYS=â30â
declare â ACCOUNT_KEY="/etc/dehydrated/accounts/xxxxxxxxxxxxxx"
declare â ACCOUNT_KEY_JSON="/etc/dehydrated/accounts/xxxxxxxxxxxxxx"
declare â ACCOUNT_ID_JSON="/etc/dehydrated/accounts/xxxxxxxxxxxxxx"
declare â KEYSIZE=â4096â
declare â WELLKNOWN="/var/www/dehydrated"
declare â PRIVATE_KEY_RENEW=âyesâ
declare â OPENSSL_CNF="/etc/ssl/openssl.cnf"
declare â CONTACT_EMAIL=""
declare â LOCKFILE="/etc/dehydrated/lock"
- /usr/bin/dehydrated --register --accept-terms
# INFO: Using main config file /etc/dehydrated/config
-
Generating account keyâŚ
-
Registering account key with ACME serverâŚ
-
Fetching account IDâŚ
-
Done!
- /usr/bin/dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing xxxxxx.duckdns(dot)org
-
Creating new directory /etc/dehydrated/certs/xxxxxx.duckdns(dot)org âŚ
-
Signing domainsâŚ
-
Generating private keyâŚ
-
Generating signing requestâŚ
-
Requesting new certificate order from CAâŚ
-
Received 1 authorizations URLs from the CA
-
Handling authorization for xxxxxxx.duckdns(dot)org
-
1 pending challenge(s)
-
Deploying challenge tokensâŚ
-
Responding to challenge for xxxxxx.duckdns(dot)org authorizationâŚ
-
Cleaning challenge tokensâŚ
-
Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: {
âtypeâ: âdns-01â,
âstatusâ: âinvalidâ,
âerrorâ: {
âtypeâ: âurn:ietf:params:acme:error:unauthorizedâ,
âdetailâ: âIncorrect TXT record ââ found at _acme-challenge.xxxxxx.duckdns(dot)orgâ,
âstatusâ: 403
},
âurlâ: âhttps:// acme-v02.api.letsencrypt(dot)org/acme/chall-v3/4979745397/C21hMgâ,
âtokenâ: âNQy31MzWLQYWRdN9sTtUX2nQ89DDPjUF5pME2K3tKv4â
})
- I believe the issue is I cannot figure out where / how to declare the TOKEN_FILENAME and TOKEN_VALUE for the hook.sh script that appears to be called by config.
- hook.sh
#!/usr/bin/env bash
deploy_challenge() {
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
# This hook is called once for every domain that needs to be
# validated, including any alternative names you may have listed.
#
# Parameters:
# - DOMAIN
# The domain name (CN or subject alternative name) being
# validated.
# - TOKEN_FILENAME
# The name of the file containing the token to be served for HTTP
# validation. Should be served by your web server as
# /.well-known/acme-challenge/${TOKEN_FILENAME}.
# - TOKEN_VALUE
# The token value that needs to be served for validation. For DNS
# validation, this is what you want to put in the _acme-challenge
# TXT record. For HTTP validation it is the value that is expected
# be found in the $TOKEN_FILENAME file.
# Simple example: Use nsupdate with local named
# printf âserver 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT â%sâ\nsend\nâ â${DOMAIN}â â${TOKEN_VALUE}â | nsupdate -k /var/run/named/session.key
}
- I then edited config and simply added a line:
TOKEN_VALUE=âxxxxxxx-duckdns(dot)org-token-xxxxxxxâ
- /usr/bin/dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing xxxxxx.duckdns(dot)org
-
Signing domainsâŚ
-
Generating private keyâŚ
-
Generating signing requestâŚ
-
Requesting new certificate order from CAâŚ
-
Received 1 authorizations URLs from the CA
-
Handling authorization for xxxxxx.duckdns(dot)org
-
Found valid authorization for xxxxxx.duckdns(dot)org
-
0 pending challenge(s)
-
Requesting certificateâŚ
-
Checking certificateâŚ
-
Done!
-
Creating fullchain.pemâŚ
-
Done!
- Edit config to enable the real CA in place of the testing CA:
CA=âhttps:// acme-v02.api.letsencrypt(dot)org/directoryâ
- /usr/bin/dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing xxxxxx.duckdns(dot)org
-
Checking domain name(s) of existing cert⌠unchanged.
-
Checking expire date of existing certâŚ
-
Valid till Aug 31 21:00:07 2020 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!
- check the /etc/dehydrated/certs directory and my domain is showing as a directory xxxxxx.duckdns(dot)org and in the xxxxxx.duckdns(dot)org directory is the following:
-rw------- 1 root root 1663 Jun 2 15:41 cert-1591134077.csr
-rw------- 1 root root 0 Jun 2 15:41 cert-1591134077.pem
-rw------- 1 root root 1663 Jun 2 15:52 cert-1591134739.csr
-rw------- 1 root root 0 Jun 2 15:52 cert-1591134739.pem
-rw------- 1 root root 1663 Jun 2 16:00 cert-1591135204.csr
-rw------- 1 root root 2224 Jun 2 16:00 cert-1591135204.pem
lrwxrwxrwx 1 root root 19 Jun 2 16:00 cert.csr -> cert-1591135204.csr
lrwxrwxrwx 1 root root 19 Jun 2 16:00 cert.pem -> cert-1591135204.pem
-rw------- 1 root root 1680 Jun 2 16:00 chain-1591135204.pem
lrwxrwxrwx 1 root root 20 Jun 2 16:00 chain.pem -> chain-1591135204.pem
-rw------- 1 root root 3904 Jun 2 16:00 fullchain-1591135204.pem
lrwxrwxrwx 1 root root 24 Jun 2 16:00 fullchain.pem -> fullchain-1591135204.pem
-rw------- 1 root root 3243 Jun 2 15:41 privkey-1591134077.pem
-rw------- 1 root root 3247 Jun 2 15:52 privkey-1591134739.pem
-rw------- 1 root root 3247 Jun 2 16:00 privkey-1591135204.pem
lrwxrwxrwx 1 root root 22 Jun 2 16:00 privkey.pem -> privkey-1591135204.pem
How do I get IPfire to (automatically) use the newly issued LetyEncrypt certs, please?
1 Like
Hello DH - welcome to the IPFire Community!
As you use the Community (reading, posting, etc.) youâll be able to do more & more.
FYI - for the code (or code-like) sections, feel free to add 3 back ticks before and after. That will place the code into a code block.
Example:
7. /usr/bin/dehydrated -e
# dehydrated configuration
# INFO: Using main config file /etc/dehydrated/config
declare â CA=âhttps:// acme-staging-v02.api.letsencrypt(dot)org/directoryâ
declare â CERTDIR="/etc/dehydrated/certs"
declare â ALPNCERTDIR="/etc/dehydrated/alpn-certs"
declare â CHALLENGETYPE=âdns-01â
declare â DOMAINS_D=""
...
Sorry I donât have an answer about dehydrated. But it is something I am interested in and hope to learn more from your experience.
1 Like
Jon,
Thank you very much for the â3 back ticksâ recommendation⌠that is exactly what I was looking for!
If you want you can click on the pencil (at bottom of your post) and edit your original post. Up to youâŚ
Hmm! that is just weird! My quick wild guess is that an edit can only be done within the first 24 hours of the original post. Iâll ask the admin to make sureâŚ
Afaik two things are involved. The default setting 24h and your trust level. So if i remember correct default and trust level new/basic user are 24h. and there is a setting 30 days but i forgot what trust level is needed.
Edit:
Hehe @jon thats the funny part, i see you post it on your own a few days ago 
Hey! That is the document I was just searching for!!
Trust Level 0 â New
By default, all new users start out at trust level 0, meaning trust has yet to be earned. These are visitors who just created an account, and are still learning the community norms and the way your community works. New usersâ abilities are restricted for safety.
Users at trust level 0 cannot âŚ
- Edit their own posts after more than 24 hours