DuckDNS with LetsEncrypt

[JA93]

I wanted SSL for both my DuckDNS domain and subdomains, but got stuck with a pesky LetsEncrypt error. Let 'sEncrypt gave me the "Can not find dns api hook for: dns_duckdns" error, and manual TXT records didn't fly with DuckDNS, I turned to ZeroSSL. However, ZeroSSL only hands out SSL for domains (unless you're up for a pricey $50/mo plan), but I found a cool trick.

How to Install SSL on DuckDNS + Subdomains with Asuswrt Merlin Routers ​

Step 1: Install acme.sh

First, we need to install acme.sh, a handy ACME protocol client that supports Let's Encrypt and DuckDNS.

# Download acme.sh
wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
tar -zxvf master.tar.gz

# Install acme.sh
./acme.sh --install
./acme.sh --version # Make sure it's installed properly

Step 2: Register for a DuckDNS account

If you haven't already, sign up for a DuckDNS account and create a domain. This will be your primary domain for which we'll obtain SSL using ZeroSSL.

Step 3: Obtain SSL for the primary domain using ZeroSSL

Next, we'll get SSL for your DuckDNS domain using ZeroSSL. Although ZeroSSL only provides SSL for the main domain without charge, we'll later use it to get SSL for subdomains via Let's Encrypt.

# Register an account and set up DuckDNS API Token
export DuckDNS_Token=XXXXX

# Issue SSL certificate for your DuckDNS domain
./acme.sh --issue --dns dns_duckdns -d yourdomain.duckdns.org --ecc --home /path/to/acme.sh-master

Step 4: Obtain SSL for subdomains using Let's Encrypt

Since Let's Encrypt allows SSL for subdomains for free, we'll use the TXT record issued by ZeroSSL to obtain SSL for your subdomains.

# Issue SSL certificate for your DuckDNS domain
./acme.sh --issue --dns dns_duckdns -d 'yourdomain.duckdns.org' --dnssleep 120 --days 90 --ecc --server https://acme-v02.api.letsencrypt.org/directory

# Issue SSL certificate for your DuckDNS subdomain
./acme.sh --issue --dns dns_duckdns -d '*.yourdomain.duckdns.org' --dnssleep 120 --days 90 --ecc --server https://acme-v02.api.letsencrypt.org/directory

Step 5: Automatic Renewal (Optional)

You can set up a cron job to automatically renew your SSL certificates before they expire. Add the following command to your crontab:

0 0 * * * "/path/to/acme.sh-master"/acme.sh --cron --home "/path/to/acme.sh-master/"

You now have SSL certificates installed for both your DuckDNS domain and subdomains on your Router!
Keep in mind that I have an older armv7(386.3.2) router and maybe this is well-known in your community... I had trouble finding it out and I decided to share. I'm not an expert by any means, just a hobbyist!

 

[XIYO]

Hello,

I'm a non-native English speaker, so I've used a translator to communicate. If my tone comes off as rude, I hope you'll understand.

I encountered an error stating "Can't find DNS API hook for: dns_duckdns." The issue arises because there is no hook available in `/usr/sbin/dnsapi`.

To fix this problem, you can download the required file from GitHub and create a symbolic link in `/usr/sbin/dnsapi/`.

For DuckDNS, please download `dns_duckdns.sh`.

Below are the commands I used for testing. I've registered with Cloudflare and am using token authentication rather than global key.

export CF_Token="r0MLva_q---------------------------"
export CF_Account_ID="f25f68---------------------------"
export CF_Zone_ID="688ba---------------------------"


/usr/sbin/acme.sh --test --issue --dns dns_cf -d domain.com -d *.domain.com --cert-home /jffs/.le

For actual use, simply remove the `--test` option.

If someone reads this and could tell me at which point in the script to create the symbolic link under /usr/sbin/dnsapi/, I would greatly appreciate it. I'm still updating manually...

Thank you.

 

[JA93]

Hello,

I'm a non-native English speaker, so I've used a translator to communicate. If my tone comes off as rude, I hope you'll understand.

I encountered an error stating "Can't find DNS API hook for: dns_duckdns." The issue arises because there is no hook available in `/usr/sbin/dnsapi`.

To fix this problem, you can download the required file from GitHub and create a symbolic link in `/usr/sbin/dnsapi/`.



Below are the commands I used for testing. I've registered with Cloudflare and am using token authentication rather than global key.

export CF_Token="r0MLva_q---------------------------"
export CF_Account_ID="f25f68---------------------------"
export CF_Zone_ID="688ba---------------------------"


/usr/sbin/acme.sh --test --issue --dns dns_cf -d domain.com -d *.domain.com --cert-home /jffs/.le

For actual use, simply remove the `--test` option.

If someone reads this and could tell me at which point in the script to create the symbolic link under /usr/sbin/dnsapi/, I would greatly appreciate it. I'm still updating manually...

Thank you.

LetsEncrypt gives

"Can't find DNS API hook for: dns_duckdns."

First, you issue ZeroSSL and only after u issue LetsEncrypt on top of it.. I explained everything in post

 

[organicsensi]

I made an account on this forum just to thank you. Incredibly easy walkthrough. I spent hours wandering through forums and trying everything last night. Woke up this morning, found this, done.

 

[Lucian Tothezan]

Hello. great tutorial and very easy to follow. I have however a few questions, beeing a noob: how do i know that the router now has the certificates taken into account(should the icon speciffic to the lets encrypt be visible in the interface alongside the ddns name)? is the router taking into account the options for certification , available in the DDNS tab? if Yes, which option should i pick in order not to create conflicts? Thank You in advance for Your help. Best regards.

 

[JA93]

I used "Import Your Own Cert", maybe you can generate "Free Cert from Let's Encrypt" and only use my method to obtain cert for subdomains as an alternative...
"how do i know that the router now has the certificates taken into account" - just visit your domain/subdomain and check if "https" is working properly

 

[Lucian Tothezan]

thank You for the prompt reply. so by using the import Your own certificate during all the steps described in Your post, the certificates will be automatically uploaded ? no need for me to do it manually?
i am asking because i tried accessing via https but it is still marked as unsecure so something did not go as aspected. i will will redo the stepts with this option selected.

 

[JA93]

thank You for the prompt reply. so by using the import Your own certificate during all the steps described in Your post, the certificates will be automatically uploaded ? no need for me to do it manually?
i am asking because i tried accessing via https but it is still marked as unsecure so something did not go as aspected. i will will redo the stepts with this option selected.

When you generate SSL with acme for your domain, you can expose storage of the router(USB) to local network and upload your ssl from there. It should automatically renew it if you set cron job.
Pro tip: If you face any problem you can always get help from GPT3/4 or Claude, they are incredibly useful

 

[Lucian Tothezan]

thank You again for the tips. i am not sure how to use them yet i installed the acme.sh-master on the jffs partition and all went well..i can see the generated certificates but i do not know how to use them( itried uplaoding them manually..it seems to be working but i am not sure about which file is the certificate. i considered the mydomain.duckdns.org.cer as the certificate to be used, and for the key, well the only file that had a .key extension; in the interface it shouws that there is a certificate issued by letsencrypt and a due date for it. is that ok?). must i upload them manually in the router`s interface or they are already loaded after the acme finishes the job? I will also try to contat the 2 persons . thank You again.

 

[XIYO]

thank You again for the tips. i am not sure how to use them yet i installed the acme.sh-master on the jffs partition and all went well..i can see the generated certificates but i do not know how to use them( itried uplaoding them manually..it seems to be working but i am not sure about which file is the certificate. i considered the mydomain.duckdns.org.cer as the certificate to be used, and for the key, well the only file that had a .key extension; in the interface it shouws that there is a certificate issued by letsencrypt and a due date for it. is that ok?). must i upload them manually in the router`s interface or they are already loaded after the acme finishes the job? I will also try to contat the 2 persons . thank You again.

Greetings! If you're opting to upload the certificates manually, the destination for your uploaded certificates should be `/jffs/.cert`.

You can include commands to immediately move the generated certificates into this directory. Here’s how you could do it:

/usr/sbin/acme.sh --issue --force --dns dns_cf -d xiyo.dev -d *.xiyo.dev --cert-home /jffs/XIYOsWorkspace/.le --reloadcmd "cp /jffs/XIYOsWorkspace/.le/xiyo.dev/xiyo.dev.key /jffs/.cert/key.pem && cp /jffs/XIYOsWorkspace/.le/xiyo.dev/fullchain.cer /jffs/.cert/cert.pem"

In particular, the segment:

--reloadcmd "cp /jffs/XIYOsWorkspace/.le/xiyo.dev/xiyo.dev.key /jffs/.cert/key.pem && cp /jffs/XIYOsWorkspace/.le/xiyo.dev/fullchain.cer /jffs/.cert/cert.pem"

can be tailored to fit your specific requirements before execution.

Should my translation have unintentionally carried a tone that seems impolite, please accept my apologies. I’ve employed a translation tool for this task.