Cant get SSL externally working (Duckdns, Ngnix)

quattroe · July 31, 2020, 12:44pm

Hello,
i need some support in getting SSL externally working. Trying to summarise my setup first and then the problem. (sorry for the links, but new users are restricted to 2 links…)

Hardware: INTEL NUC
OS: Ubuntu Server, 20.04.1 LTS.
HA: Home Assistent supervised (installed with this instructions Installing Home Assistant Supervised on Ubuntu 18.04.4 ) -> everything is up and running
Add ons: DuckDNS & NGNIX, both started without errors. SSL certificates are available. DNS is registered.
Firewall: Port forward rule from external 443 to my local NUC ip 192.168.0.5:443

-> I can access inside my network http with local ip and port 8123
-> I can access inside my network https://myduckdns.duckdns.org -> Certificate is shown and valid.

-> i can not access from outside https and duckdns address and (also IP does not work)
-> if i change the firewall rule to port 8123 i can access from external my home assistant instance, but then without ssl

What am i missing in getting it working from external? Happy for any input

Thanks
Erik

quattroe · August 3, 2020, 12:05pm

Figured it out, my internet provider’s router (SAGEMCOM - FAST3686 with local custom firmware) is not able to forward 443 (also not if my HA is in the DMZ). this port always goes to the remote management side, even if remote management is disabled -> i changed the port to some random one and it is working now with SSL.

friendodevil · August 28, 2020, 9:44pm

also running in the same problem with the SAGEMCOM FAST3686.
@quattroe, how did you make the change to a random port?

quattroe · August 29, 2020, 4:58am

Hi friendodevil,
no changes required at NGIX or HA.
Configure your router with a Port Forwarding Rule (Advanced -> Forwarding)
IP Address: * Your HA IP*
Start Port / End Port: 443

External
IP: 0.0.0.0
Start Port / End Port: your selected port (something above 1024 and below 49151)

-> now you should be able to access from external with: https://yourduckdns.duckdns.org:your selected port
-> this setting you also have to change in your app

friendodevil · August 29, 2020, 11:08am

@quattroe Erik,

Thank you for the prompt reply, I appreciate it

I changed the Sagemcom to bridge more and set my router with the port forwarding rule as you’ve suggested (with port 8433>433. I find that if it works well if I https//ip:8433 but duckdns does not update the IP for some reason so https://myduckdns.duckdns.org:8433 does not work…

Any idea why duckdns doesn’t update? do I need to open additional ports?

quattroe · August 29, 2020, 11:12am

You are welcome

For DuckDns, i have set up the DUCKDNS Plugin in HA (alternative also the Sagemcom can update the duckdns record). Just follow the instructions of the duckdns plugin and you should be fine. no further actions required. (did you check the logfiles of duckdns?)

friendodevil · August 29, 2020, 11:27am

@quattroe I’m also using the duckdns HA plugin. The logs look fine but keep updating with the wrong IP

btw: HA was running for ~2yrs on this configuration, all that change was the xDSL >> Cable modem with the Sagemcom

quattroe · August 29, 2020, 12:24pm

sorry, can’t help you there. last try could be to use the duckdns support of the sagemcom device…

friendodevil · August 29, 2020, 12:26pm

how is duckdns supported for the sagemcom device?

Mutt · August 29, 2020, 1:30pm

devil, please tag a moderator to delete your post your internet details are still visible and will be for 24 hours

As for the duckdns update, have you tried manually changing it at duckdns ?

Edit: @petro can you help ?

friendodevil · August 29, 2020, 1:56pm

if i change in manually at duckdns it works but once the client refreshes the IP, it reverts to the wrong IP

Mutt · August 29, 2020, 2:06pm

Unless you tag, quote or reply to me I don’t get a notification.
I just saw this bob up again so you were lucky.

I’m grasping at straws here but try removing the addon, restarting then re-add it with the new address.
It may not work but it beats waiting for your certificates to renew or some such

friendodevil · August 29, 2020, 2:17pm

removed addon, restarted, added new address. — Info: OK, still w/wrong IP address

Mutt · August 29, 2020, 2:24pm

okay,
so making sure you do not reveal your actual wan details (local lan doesn’t matter)
Post what you did and the setting you made.
1.How do you access the remote ?
2. Which NGINX did you use ?
3. What is the config ?
4. How is your DuckDNS set up (what guide ?) ?
5. What is your config ?

I understand that due to your ISP/Modem you need to run a specialist setup and it seems to be blowing my own trumpet but I used : -

There ‘may’ be some tips there you didn’t do

petro · August 29, 2020, 2:29pm

Flag posts if you want action on the post. When you do that, if you select other you can write ‘why’.

Mutt · August 29, 2020, 2:31pm

Many Thanks

I did not know that, I’ve never flagged a post

Cheers

petro · August 29, 2020, 2:33pm

yep, flagging is not just for inappropriate language. It’s pretty much to let a mod know that action is needed. Then a mod can come in and decide to take action or ignore the request.

Mutt · August 29, 2020, 2:58pm

I think he means talk to sagemcom about how to get duckdns working

friendodevil · August 29, 2020, 3:00pm

My working configuration.yaml before the modem modem change

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

My DuckDNS configuration

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: --my-token---
domains:
  - mydomain.duckdns.org
aliases: []
seconds: 300

I don’t have NGINX set up.

All worked well until I changed my modem from xDSL > Cable. I use the modem in bridge mode connected to a home router. The key thing I notice is that with the new modem DuckDNS client does not update the correct IP to duckDNS. When I access remote via web browser with the correct WAN IP:[port] it works.

Mutt · August 29, 2020, 3:21pm

Well …

I’m pretty sure is deprecated (I never used it so can’t say 100%)

Errr ! you have not needed the lets encrypt addon for at least a year (duckdns adds the bits of lets encrypt it needs the other bits just got in the way)

Err ! I can’t tell you how many ways this is just not supposed to happen.
That indicates something is VERY wrong
Your certificate is issue to (say) : -
myfortressofsolitude.duckdns.org
And you access it by https://www.xxx.yyy.zzz.org then the certificate won’t match and it should kick you out.
Do you run supervised ? (ie can you take a snapshot ?)
Do you have a spare pi (for example) ?
Take a snapshot
Start a clean installation
Do the absolute minimum to get you up and running
(don’t restore snapshot yet)
install duckdns and the nginx home assistant proxy (not the NGINX Manager)
Configure as per the post I linked except change the necessary ports as suggested by @quattroe
If it connects okay then you have a system that you can merge your snapshot to (becare full to sanitise the snapshot of any lan/wan issues regarding IP addresses and config for duckdns / http / https / etc.

If not … I have NO IDEA where to start