Sub-subdomain wildcard certificate DuckDNS

Traefik Traefik v2 (latest)
, ,
1

I am having an issue getting a wildcard certificate for a sub-subdomain with DuckDNS.

docker-compose.yaml 
version: "3"

services:
  traefik:
    command:
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false

      - --entryPoints.web.address=:80
      - --entryPoints.web.http.redirections.entryPoint.to=websecure

      - --entryPoints.websecure.address=:443

      - --experimental.http3=true

      - --entryPoints.websecure.http3
      - --entrypoints.websecure.http.tls.certResolver=myresolver
      - --entrypoints.websecure.http.tls.domains[0].main=👀.duckdns.org
      - --entrypoints.websecure.http.tls.domains[0].sans=*.👀.duckdns.org,*.dns.👀.duckdns.org

      - --certificatesResolvers.myresolver.acme.dnsChallenge=true
      - --certificatesResolvers.myresolver.acme.dnsChallenge.provider=duckdns
      - --certificatesResolvers.myresolver.acme.email=webmaster@👀.duckdns.org
      - --certificatesResolvers.myresolver.acme.storage=/letsencrypt/acme.json
    container_name: traefik
    environment:
      - DUCKDNS_TOKEN=👀
    image: traefik:v2.10
    networks:
      - traefik
      - adguardhome
    ports:
      - 80:80 # HTTP
      - 443:443 # HTTPS
      - 443:443/udp # HTTP/3
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

      - ./traefik/letsencrypt:/letsencrypt

  traefik-certs-dumper:
    command: file --version v2 --watch --source /letsencrypt/acme.json --dest /data
    container_name: traefik-certs-dumper
    image: ldez/traefik-certs-dumper:v2.8.1
    network_mode: none
    volumes:
      - ./traefik-certs-dumper:/data

      - ./traefik/letsencrypt:/letsencrypt:ro

  adguardhome:
    container_name: adguardhome
    image: adguard/adguardhome
    networks:
      - adguardhome
    labels:
      - traefik.enable=true

      - traefik.http.routers.adguardhome.rule=Host(`dns.👀.duckdns.org`) || HostRegexp(`{my-client:.+}.dns.👀.duckdns.org`)
      - traefik.http.routers.adguardhome.entryPoints=websecure

      - traefik.http.routers.adguardhome.service=adguardhome

      - traefik.http.services.adguardhome.loadBalancer.server.port=3000
    ports:
      - 853:853 # DNS over TLS
    restart: unless-stopped
    volumes:
      - ./adguardhome/work:/opt/adguardhome/work
      - ./adguardhome/conf:/opt/adguardhome/conf

      - ./traefik-certs-dumper:/certs:ro

networks:
  traefik:
    name: traefik

  adguardhome:
    name: adguardhome

time="2024-03-26T18:14:10Z" level=error msg="Unable to obtain ACME certificate for domains \"👀.duckdns.org,*.👀.duckdns.org,*.dns.👀.duckdns.org\"" error="unable to generate a certificate for the domains [*.dns.👀.duckdns.org]: error: one or more domains had a problem:\n[*.dns.👀.duckdns.org] propagation: time limit exceeded: last error: read udp 192.168.224.3:57248->99.79.143.35:53: i/o timeout\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=adguardhome@docker rule="Host(`dns.👀.duckdns.org`) || HostRegexp(`{my-client:.+}.dns.👀.duckdns.org`)" providerName=myresolver.acme

2

Errors is:

Not sure if this is a problem with your network. Is this only since you added the second-level wildcard?

You can try (doc, below list):

delayBeforeCheck
By default, the provider verifies the TXT record before letting ACME verify. You can delay this operation by specifying a delay (in seconds) with delayBeforeCheck (value must be greater than zero). This option is useful when internal networks block external DNS queries.

3

Changed the system DNS to Quad9 and the issue resolved.

I am not sure why I didn't try this to begin with. I guess it was because my system DNS appeared to otherwise have no issues.

DNS always seems to be the root cause of most of my issues.