Cant get SSL externally working (Duckdns, Ngnix)

Tags: #<Tag:0x00007fc4122c1f90>

how is duckdns supported for the sagemcom device?

devil, please tag a moderator to delete your post your internet details are still visible and will be for 24 hours

As for the duckdns update, have you tried manually changing it at duckdns ?

Edit: @petro can you help ?

if i change in manually at duckdns it works but once the client refreshes the IP, it reverts to the wrong IP

Unless you tag, quote or reply to me I don’t get a notification.
I just saw this bob up again so you were lucky.

I’m grasping at straws here but try removing the addon, restarting then re-add it with the new address.
It may not work but it beats waiting for your certificates to renew or some such :crazy_face:

removed addon, restarted, added new address. — Info: OK, still w/wrong IP address :frowning:

so making sure you do not reveal your actual wan details (local lan doesn’t matter)
Post what you did and the setting you made.
1.How do you access the remote ?
2. Which NGINX did you use ?
3. What is the config ?
4. How is your DuckDNS set up (what guide ?) ?
5. What is your config ?

I understand that due to your ISP/Modem you need to run a specialist setup and it seems to be blowing my own trumpet but I used : -

There ‘may’ be some tips there you didn’t do

Flag posts if you want action on the post. When you do that, if you select other you can write ‘why’.

1 Like

Many Thanks

I did not know that, I’ve never flagged a post



yep, flagging is not just for inappropriate language. It’s pretty much to let a mod know that action is needed. Then a mod can come in and decide to take action or ignore the request.

I think he means talk to sagemcom about how to get duckdns working

My working configuration.yaml before the modem modem change

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

My DuckDNS configuration

  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: --my-token---
aliases: []
seconds: 300

I don’t have NGINX set up.

All worked well until I changed my modem from xDSL > Cable. I use the modem in bridge mode connected to a home router. The key thing I notice is that with the new modem DuckDNS client does not update the correct IP to duckDNS. When I access remote via web browser with the correct WAN IP:[port] it works.

Well …

I’m pretty sure is deprecated (I never used it so can’t say 100%)

Errr ! you have not needed the lets encrypt addon for at least a year (duckdns adds the bits of lets encrypt it needs the other bits just got in the way)

Err ! I can’t tell you how many ways this is just not supposed to happen.
That indicates something is VERY wrong
Your certificate is issue to (say) : -
And you access it by then the certificate won’t match and it should kick you out.
Do you run supervised ? (ie can you take a snapshot ?)
Do you have a spare pi (for example) ?
Take a snapshot
Start a clean installation
Do the absolute minimum to get you up and running
(don’t restore snapshot yet)
install duckdns and the nginx home assistant proxy (not the NGINX Manager)
Configure as per the post I linked except change the necessary ports as suggested by @quattroe
If it connects okay then you have a system that you can merge your snapshot to (becare full to sanitise the snapshot of any lan/wan issues regarding IP addresses and config for duckdns / http / https / etc.

If not … I have NO IDEA where to start

I don’t run Let’s encrypt addon, just hte duck DNS

Again, no reply to me so you were lucky (for the second time)
apologies I assumed a different set up, yes mine looks similar : -

  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: 123456wouldntyouliketoknow123456
aliases: []
seconds: 300

but my config looks like this : -

  packages: !include_dir_named packages
  themes: !include_dir_merge_named themes
  mode: yaml
tts:    # Text to speech
  - platform: google_translate
  usb_path: /dev/ttyACM0
  network_key: !secret ky_zwave

I think @anon43302295 has an even shorter one (my system covers 1109 entities, his is probably bigger)

Notice that I don’t specify port numbers anywhere except on my modem/router.
As you are are using a bridge configuration are you connecting as a wan and therfore need to port forward twice ?

I don’t need to port forward twice… My WAN IP is dynically obtained from the modem/bridge
I ssuspect duckdns ports are getting blocked by the new modem… do you know which ports duckdns uses to transfer to IP address?

All I can say is that https defaults to :443 BUT
I know a guy who has two wan facing instances and he get around the forwarding to two separate points by using different ports. So it is possible.
Never used it as an option for me

@francisp, you know much more about port configuration options than I do ?

If you don’t count the two blank lines, mine is 4 lines…


I don’t see that there’s an issue with https’ing in from the WAN. It’s just the that duckdns does not update the IP, what port is it using to update?

The addon just connects through standard Internet to communicate outbound, that port number is irrelevant as its what it has been configured to use with duckdns (means I don’t know and care even less)
To talk back it just uses the backchannel created when the conversation opened (so again irrelevant.
Other than that duckdns doesn’t communicate with HA
The browser reaching duckdns for the dns lookup communicates with duckdns to receive the actual address and uses the certificate for that to talk to your modem which defaults to https (port 443) but can be specified as an alternate ie by not just using ‘.org’ but ‘.org:8443’ (or whatever) what you do at your end is down to your preferences and configuration.

You are asking for answers I don’t have on a configuration I’ve no experience on, so I’m really reaching here.

I never count blank or commented lines.
I think my problem is finding a suitable package to put them in.
How many entities are you currently working with ?