Cant get SSL externally working (Duckdns, Ngnix)

Tags: #<Tag:0x00007fc4110479f0>

i need some support in getting SSL externally working. Trying to summarise my setup first and then the problem. (sorry for the links, but new users are restricted to 2 links…)

  1. Hardware: INTEL NUC
  2. OS: Ubuntu Server, 20.04.1 LTS.
  3. HA: Home Assistent supervised (installed with this instructions Installing Home Assistant Supervised on Ubuntu 18.04.4 ) -> everything is up and running
  4. Add ons: DuckDNS & NGNIX, both started without errors. SSL certificates are available. DNS is registered.
  5. Firewall: Port forward rule from external 443 to my local NUC ip

-> I can access inside my network http with local ip and port 8123
-> I can access inside my network -> Certificate is shown and valid.

-> i can not access from outside https and duckdns address and (also IP does not work)
-> if i change the firewall rule to port 8123 i can access from external my home assistant instance, but then without ssl

What am i missing in getting it working from external? Happy for any input :slight_smile:


Figured it out, my internet provider’s router (SAGEMCOM - FAST3686 with local custom firmware) is not able to forward 443 (also not if my HA is in the DMZ). this port always goes to the remote management side, even if remote management is disabled -> i changed the port to some random one and it is working now with SSL.

also running in the same problem with the SAGEMCOM FAST3686.
@quattroe, how did you make the change to a random port?

Hi friendodevil,
no changes required at NGIX or HA.
Configure your router with a Port Forwarding Rule (Advanced -> Forwarding)
IP Address: * Your HA IP*
Start Port / End Port: 443

Start Port / End Port: your selected port (something above 1024 and below 49151)

-> now you should be able to access from external with: selected port
-> this setting you also have to change in your app

1 Like

@quattroe Erik,

Thank you for the prompt reply, I appreciate it :pray:

I changed the Sagemcom to bridge more and set my router with the port forwarding rule as you’ve suggested (with port 8433>433. I find that if it works well if I https//ip:8433 but duckdns does not update the IP for some reason so does not work…

Any idea why duckdns doesn’t update? do I need to open additional ports?

You are welcome :slight_smile:

For DuckDns, i have set up the DUCKDNS Plugin in HA (alternative also the Sagemcom can update the duckdns record). Just follow the instructions of the duckdns plugin and you should be fine. no further actions required. (did you check the logfiles of duckdns?)

@quattroe I’m also using the duckdns HA plugin. The logs look fine but keep updating with the wrong IP

btw: HA was running for ~2yrs on this configuration, all that change was the xDSL >> Cable modem with the Sagemcom

:frowning: sorry, can’t help you there. last try could be to use the duckdns support of the sagemcom device…

how is duckdns supported for the sagemcom device?

devil, please tag a moderator to delete your post your internet details are still visible and will be for 24 hours

As for the duckdns update, have you tried manually changing it at duckdns ?

Edit: @petro can you help ?

if i change in manually at duckdns it works but once the client refreshes the IP, it reverts to the wrong IP

Unless you tag, quote or reply to me I don’t get a notification.
I just saw this bob up again so you were lucky.

I’m grasping at straws here but try removing the addon, restarting then re-add it with the new address.
It may not work but it beats waiting for your certificates to renew or some such :crazy_face:

removed addon, restarted, added new address. — Info: OK, still w/wrong IP address :frowning:

so making sure you do not reveal your actual wan details (local lan doesn’t matter)
Post what you did and the setting you made.
1.How do you access the remote ?
2. Which NGINX did you use ?
3. What is the config ?
4. How is your DuckDNS set up (what guide ?) ?
5. What is your config ?

I understand that due to your ISP/Modem you need to run a specialist setup and it seems to be blowing my own trumpet but I used : -

There ‘may’ be some tips there you didn’t do

Flag posts if you want action on the post. When you do that, if you select other you can write ‘why’.

1 Like

Many Thanks

I did not know that, I’ve never flagged a post



yep, flagging is not just for inappropriate language. It’s pretty much to let a mod know that action is needed. Then a mod can come in and decide to take action or ignore the request.

I think he means talk to sagemcom about how to get duckdns working

My working configuration.yaml before the modem modem change

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

My DuckDNS configuration

  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: --my-token---
aliases: []
seconds: 300

I don’t have NGINX set up.

All worked well until I changed my modem from xDSL > Cable. I use the modem in bridge mode connected to a home router. The key thing I notice is that with the new modem DuckDNS client does not update the correct IP to duckDNS. When I access remote via web browser with the correct WAN IP:[port] it works.

Well …

I’m pretty sure is deprecated (I never used it so can’t say 100%)

Errr ! you have not needed the lets encrypt addon for at least a year (duckdns adds the bits of lets encrypt it needs the other bits just got in the way)

Err ! I can’t tell you how many ways this is just not supposed to happen.
That indicates something is VERY wrong
Your certificate is issue to (say) : -
And you access it by then the certificate won’t match and it should kick you out.
Do you run supervised ? (ie can you take a snapshot ?)
Do you have a spare pi (for example) ?
Take a snapshot
Start a clean installation
Do the absolute minimum to get you up and running
(don’t restore snapshot yet)
install duckdns and the nginx home assistant proxy (not the NGINX Manager)
Configure as per the post I linked except change the necessary ports as suggested by @quattroe
If it connects okay then you have a system that you can merge your snapshot to (becare full to sanitise the snapshot of any lan/wan issues regarding IP addresses and config for duckdns / http / https / etc.

If not … I have NO IDEA where to start