So I’ve spent the better part of two days trying to figure out why in the gods name is the latest swag image simply unable to work together with duckdns/certbot.
There’s a variety of different errors, but they go along the lines of;
apps:~# docker compose up
[+] Running 1/0
✔ Container swag Created 0.0s
Attaching to swag
swag | [migrations] started
swag | [migrations] 01-nginx-site-confs-default: skipped
swag | [migrations] done
swag | usermod: no changes
swag | ───────────────────────────────────────
swag |
swag | ██╗ ███████╗██╗ ██████╗
swag | ██║ ██╔════╝██║██╔═══██╗
swag | ██║ ███████╗██║██║ ██║
swag | ██║ ╚════██║██║██║ ██║
swag | ███████╗███████║██║╚██████╔╝
swag | ╚══════╝╚══════╝╚═╝ ╚═════╝
swag |
swag | Brought to you by linuxserver.io
swag | ───────────────────────────────────────
swag |
swag | To support the app dev(s) visit:
swag | Certbot: https://supporters.eff.org/donate/support-work-on-certbot
swag |
swag | To support LSIO projects visit:
swag | https://www.linuxserver.io/donate/
swag |
swag | ───────────────────────────────────────
swag | GID/UID
swag | ───────────────────────────────────────
swag |
swag | User UID: 1000
swag | User GID: 1000
swag | ───────────────────────────────────────
swag |
swag | using keys found in /config/keys
swag | chown: cannot dereference '/config/keys/letsencrypt': No such file or directory
swag | **** Permissions could not be set. This is probably because your volume mounts are remote or read-only. ****
swag | **** The app may not work properly and we will not provide support for it. ****
swag | Variables set:
swag | PUID=1000
swag | PGID=1000
swag | TZ=Etc/UTC
swag | URL=mydomain.duckdns.org
swag | SUBDOMAINS=
swag | EXTRA_DOMAINS=
swag | ONLY_SUBDOMAINS=false
swag | VALIDATION=duckdns
swag | CERTPROVIDER=
swag | DNSPLUGIN=duckdns
swag | EMAIL=
swag | STAGING=true
swag |
swag | the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org
swag | NOTICE: Staging is active
swag | Using Let's Encrypt as the cert provider
swag | No e-mail address entered or address invalid
swag | dns validation via duckdns plugin is selected
swag | Generating new certificate
swag | Saving debug log to /var/log/letsencrypt/letsencrypt.log
swag | Requesting a certificate for mydomain.duckdns.org
swag | Unsafe permissions on credentials configuration file: /config/dns-conf/duckdns.ini
swag | Unsafe permissions on credentials configuration file: /config/dns-conf/duckdns.ini
swag | Waiting 30 seconds for DNS changes to propagate
swag |
swag | Certbot failed to authenticate some domains (authenticator: dns-duckdns). The Certificate Authority reported these problems:
swag | Domain: mydomain.duckdns.org
swag | Type: unauthorized
swag | Detail: Incorrect TXT record "" found at _acme-challenge.mydomain.duckdns.org
swag |
swag | Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-duckdns. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-duckdns-propagation-seconds (currently 30 seconds).
swag |
swag | Some challenges have failed.
swag | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
swag | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/duckdns.ini file.
I initially tried setting things up in a debian lxc, but that didn’t work.
So I figured I’d try an alpine lxc. Still doesn’t work.
I’ve tried to give more propagation time. Didn’t work: Up to 120 seconds.
I’ve tried creating necessary files to make things work, I’ve opened up all the necessary ports, and yet, here we are.
Sample config here:
services:
swag:
image: lscr.io/linuxserver/swag:latest
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- URL=mydomain.duckdns.org
- VALIDATION=duckdns
- DNSPLUGIN=duckdns
- STAGING=true
volumes:
- ${PWD-.}/swag:/config
ports:
- 443:443
- 80:80 #optional
restart: unless-stopped