About portforwarding, DuckDNS en Letsencrypt

yann1420 · December 20, 2023, 8:16am

OK team,
This is how I setup the network part:

the modem has the following port forwarded:
local IP address: 192.168.2.68
local port: 8123
external port: 8123
DuckDNS is configured like:

domains:
 - my_own_example.duckdns.org
token: my-token
aliases: []
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300

my configuration.yaml

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Yet I get the following error when trying to connect with the companion app

Not possible to connect with Home Assistant. The HA certificate is not correct , check the certificate and setting and try again
How can I check the certificate and/or how can I renew it?
Thanks in Advance.

Tinkerer · December 20, 2023, 8:17am

What URL are you using?

https://192.168.0.42:8123/ won’t work

yann1420 · December 20, 2023, 7:22pm

Using htps://my_own_example.duckdns.org:8123

I picked up somewhere that external_IP:443 should be forwarded to internal:8123 but I assume that cannot be true as in that case it will not be possible to connect other encrypted services on other ports on other IP-addresses.
But maybe I am wrong.

Tinkerer · December 20, 2023, 7:52pm

Well, if you forwarded 443 you just use https://yourhost.duckdns.org

The other thing to do if that doesn’t solve it is to use Chrome as you’ll get a more useful error.

mobile.andrew.jones · December 20, 2023, 8:00pm

Do you have any other encrypted services that you are exposing to the internet? It should indeed be 443 external to 8123 internal.

If you need MORE services exposed on port 443, then the answer is to use something like Nginx Proxy Manager addon. So the subdomain you use determines which encrypted resource you are accessing.

yann1420 · December 21, 2023, 7:37am

I have Nextcloud running on a different RPI ,thus a different IP, and it uses a non-standard port 18008. and that external:18008 is forwarded to IP:18008 of the Nextcloud PI.

mobile.andrew.jones · December 21, 2023, 1:37pm

Which isn’t port 443, so will not conflict with Home Assistant being forwarded from 443 to 8123

yann1420 · December 21, 2023, 1:56pm

yes … . But it makes use of the same DNS name. How does LetsEncrypt react if 2x (for 2 different services) an certificate is requested?

mobile.andrew.jones · December 21, 2023, 2:12pm

That’s true, that’s why people typically have a subdomain for each machine. For example:

ha.mydomain.duckdns.org
nextcloud.mydomain.duckdns.org

etc

You don’t have to do anything on the DuckDNS end, it’s already configured so any subdomain of your duckdns domain, will return the right IP address.

If you wanted you could have this.is.my.super.long.subdomain.at.mydomain.duckdns.org and it would still return your correct IP address.

The only change you have to make is on the LetsEncrypt end, and on the external URL of Home Assistant end.

yann1420 · December 21, 2023, 3:54pm

makes sense, but how can I achieve that?

mobile.andrew.jones · December 21, 2023, 3:58pm

Go to the LetsEncrypt add-on and add the domain in there. whatever you have decided to use ha. or home. or whatever. Let LetsEncrypt get the certificate.
Go to Home Assistant settings - General - Network and put your new subdomain in there for the external access.

You don’t have to do anything with DuckDNS.

You will probably need to do the same with NextCloud to get a new certificate for the subdomain.

yann1420 · December 22, 2023, 8:38am

Sorry that I’m slow, but I do not have to define/configure something like ha.mydomain.duckdns.org with DuckDNS ?

yann1420 · December 22, 2023, 8:50am

looking at the logfile I see this:

KO + Responding to challenge for ha.XX.duckdns.org authorization...
 + Cleaning challenge tokens...
KO + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"dns-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:unauthorized"
["error","detail"]	"Incorrect TXT record \"\" found at _acme-challenge.ha.XX.duckdns.org"
["error","status"]	403
["error"]	{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"\" found at _acme-challenge.ha.titania.duckdns.org","status":403}
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/296185325816/CVVlEg"
["token"]	"5QqR-EvP7yoSjcO_WM9provZSY_ZbZfFT3FwZpwf1CY"
["validated"]	"2023-12-22T08:41:32Z")
[09:46:37] WARNING: KO

mobile.andrew.jones · December 22, 2023, 11:59am

No you don’t typically need to do anythng - for example:

C:\Users\asjmc>ping xxx.duckdns.org

Pinging xxx.duckdns.org [170.xx.xx.53] with 32 bytes of data:
Control-C
^C
C:\Users\asjmc>ping ping.xxx.duckdns.org

Pinging ping.xxx.duckdns.org [170.xx.xx.53] with 32 bytes of data:
Control-C
^C
C:\Users\asjmc>ping test.ping.xxx.duckdns.org

Pinging test.ping.xxx.duckdns.org [170.xx.xx.53] with 32 bytes of data:
Control-C
^C
C:\Users\asjmc>ping my.super.long.sub.domain.test.ping.xxx.duckdns.org

Pinging my.super.long.sub.domain.test.ping.xxx.duckdns.org [170.xx.xx.53] with 32 bytes of data:
Control-C
^C

As you can see it always returns the same IP address

yann1420 · December 23, 2023, 5:57pm

I prefixed my DNS name with “ha.” and that works, yet I find in the logfile:

[17:52:37] WARNING: KO
[17:57:38] WARNING: KO
[18:02:39] WARNING: KO
[18:07:40] WARNING: KO
[18:12:40] WARNING: KO
[18:17:41] WARNING: KO
[18:22:42] WARNING: KO
[18:27:43] WARNING: KO
[18:32:44] WARNING: KO
[18:37:44] WARNING: KO

And the companion app refuses to connect to the ha.MYNAME.duckdns.org name with a message:
Not possible to connect with Home Assistant There was an error when loading HA. Check de connection configuration and try again. We will try a different URL when you click renew.
The old (thus without ha.) URL still works while in DuckDNS section with ha. has been configured.

yann1420 · December 24, 2023, 1:39pm

mmm,
now I found the following in the DuckDNS log

[09:18:42] WARNING: KO
[09:18:43] INFO: Renew certificate for domains: ha.XXXX.duckdns.org and aliases: 
# INFO: Using main config file /data/workdir/config
Processing ha.XXXX.duckdns.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for ha.XXXX.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
KO + Responding to challenge for ha.XXXX.duckdns.org authorization...
 + Cleaning challenge tokens...
KO + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"dns-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:unauthorized"
["error","detail"]	"Incorrect TXT record \"\" found at _acme-challenge.ha.XXXX.duckdns.org"
["error","status"]	403
["error"]	{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT record \"\" found at _acme-challenge.ha.XXXX.duckdns.org","status":403}
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/296860165426/i_Owng"
["token"]	"B_BSMVvawSSKQaWFfaMFNRlzv2htPwerasdd7A8GI"
["validated"]	"2023-12-24T08:18:52Z")
[09:23:57] WARNING: KO

To me the above is very much Acabadabra . Maybe someone can shine some light here in this darkness.