Can't access home assistant from android app on route https://homeassistant.<mydomain>.duckdns.org - using reverse proxy (certificate invalid)

However, I’m able to access this route fine via web browsers. So it is working correctly, at least for a web browser. I also have other services running on this host, I am not having issues with my other services connecting to https://$service.<mydomain>.duckdns.org.

On the other hand, I found that this route works (http://homeassistant.<mydomain>.duckdns.org:8123) in the app (and also on browser too)
But this route should not be available as it permits insecure connections, so I also need to fix this. For now at least HA works, but there is definitely something wrong as I can not connect via the android app at the moment

EDIT: Adding a note, I don’t yet have a valid cert for the subdomain homeassistant.<mydomain>.duckdns.org (because duckdns certs does not support this), so I can visit https://homeassistant.<mydomain>.duckdns.org only on browsers such as firefox that allow invalid certs. Is the app set up to reject invalid certs? I am planning to switch to cloudflare but have just not done so yet (it is my next task)

Here are my home assistant confs

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.16  # Nuc

and nginx conf

    listen 443 ssl;
    listen [::]:443 ssl;
    server_name homeassistant.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.100;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
        location /api {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.100;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

The simplest solution is to install nginx proxy manager on the NUC, and make sure port 80 and 443 are forwarded to the NUC. You can then get LetsEncrypt certificates for this subdomain, and all your other ones.
Cloudflare does though make it very easy to get a wildcard certificate so all current and future subdomains will just work straight away.

I’ve got nginx set up. Currently forwarding 80 and 443 and can connect fine to all my hosted services. I can connect via firefox browser to HA but not via the android app

Yes because as you have already indicated, you do not have an official SSL certificate. Replace your Nginx reserve proxy with Nginx Proxy Manager (which is doing the same thing) - and it will allow you to easily obtain Lets Encrypt certificates which all browsers and the app will recognise and you won’t have any more self signed certificates.

I’m actually using linuxserver/swag container Docker Hub
Which has a certbot built in. I am however opting to use duckdns to get my certs, instead of cloudflare

I’ve just spotted. I can visit <mydomain>.duckdns.org fine via chrome (so this cert is valid) - but not any combination of $service.<mydomain>.duckdns.org

It appears the issue is down to duckdns not issuing valid certs on subdomains. So I will have to use cloudflare and change my swag container to use cloudflare for certs instead.

You can definitely get certificates for subdomains on DuckDNS, because the official add-on to Home Assistant allows this, I know because I setup my friends Home Assistant to use home.domain.duckdns.org and it works fine.

But yes - switch to Cloudflare as soon as possible, and it will make the process much much easier, just to get a single wildcard certificate.

Interesting, I was wondering if it was possible. The container I use does provide a disclaimer regarding duckdns I now notice. I’ll skip ahead to setting up cloudflare now and come back to this later then. Thanks!

Can confirm cert was issue. Cloudflare working perfectly