Cant get SSL externally working (Duckdns, Ngnix)

Tags: #<Tag:0x00007fc3fbbd8cf8>

I don’t run Let’s encrypt addon, just hte duck DNS

Again, no reply to me so you were lucky (for the second time)
apologies I assumed a different set up, yes mine looks similar : -

  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: 123456wouldntyouliketoknow123456
aliases: []
seconds: 300

but my config looks like this : -

  packages: !include_dir_named packages
  themes: !include_dir_merge_named themes
  mode: yaml
tts:    # Text to speech
  - platform: google_translate
  usb_path: /dev/ttyACM0
  network_key: !secret ky_zwave

I think @anon43302295 has an even shorter one (my system covers 1109 entities, his is probably bigger)

Notice that I don’t specify port numbers anywhere except on my modem/router.
As you are are using a bridge configuration are you connecting as a wan and therfore need to port forward twice ?

I don’t need to port forward twice… My WAN IP is dynically obtained from the modem/bridge
I ssuspect duckdns ports are getting blocked by the new modem… do you know which ports duckdns uses to transfer to IP address?

All I can say is that https defaults to :443 BUT
I know a guy who has two wan facing instances and he get around the forwarding to two separate points by using different ports. So it is possible.
Never used it as an option for me

@francisp, you know much more about port configuration options than I do ?

If you don’t count the two blank lines, mine is 4 lines…


I don’t see that there’s an issue with https’ing in from the WAN. It’s just the that duckdns does not update the IP, what port is it using to update?

The addon just connects through standard Internet to communicate outbound, that port number is irrelevant as its what it has been configured to use with duckdns (means I don’t know and care even less)
To talk back it just uses the backchannel created when the conversation opened (so again irrelevant.
Other than that duckdns doesn’t communicate with HA
The browser reaching duckdns for the dns lookup communicates with duckdns to receive the actual address and uses the certificate for that to talk to your modem which defaults to https (port 443) but can be specified as an alternate ie by not just using ‘.org’ but ‘.org:8443’ (or whatever) what you do at your end is down to your preferences and configuration.

You are asking for answers I don’t have on a configuration I’ve no experience on, so I’m really reaching here.

I never count blank or commented lines.
I think my problem is finding a suitable package to put them in.
How many entities are you currently working with ?

No idea, but if I was packaging the last bits of your configuration.yaml just because, I would do it like this…


  packages: !include_dir_named packages


  themes: !include_dir_merge_named themes
  mode: yaml

(Get rid of config: as it is a dependency of frontend.)


tts:    # Text to speech
  - platform: google_translate


  usb_path: /dev/ttyACM0
  network_key: !secret ky_zwave
1 Like

@friendodevil: i can not help you with the bridge mode, this was my first choice but my provider does not allow it. (need to make a service call, language problem… so i did not go this way)

(There might be another reason that i do not have any issues, i do have a dynamic IP but it never changed in the last 4 years…)

To enable direct update of adress just go in the settings -> basic -> DDNS.

@quattroe: I reset the box and reverted back to Gateway mode. I do not have duckdns as a DDNS service with this box’s firmware.

I reconfigured the box back to Gateway, perhaps more control this way. My setup is Cable Gateway -> Router -> HA Server::
[Gateway] WAN IP>NAT> --> [Router] WAN IP>NAT

I do need to double port forward now:

and on my Router

@friendodevil: personally i would not double forward, i guess troubleshooting will be more complicated.
-> at your router: the SSL rule 433 should not work (in my case, this is always routed directly to the Sagemcome interface.
Also Port 80, should not be required. I would close this.
Does your http rule work? (i would also delete this one!)

Only one rule required: External port: 8433 -> Local End Port: 433
Access via:

One more thing: after setting up bridge mode again, i would check all the rules you have in your router if they are required :slight_smile: (Tasmoadmin, Plex web etc…)

Coming back to DuckDNS: if you check the logile, do you see someting like this? Is it your IP?

[04:40:31] INFO: OK

Yes, I see INFO OK but the IP address is wrong

I note that you figured out a solution to your OP 27days ago.
Normally people shouldn’t mark their own posts as solutions as usually someone else gave you a hint / reference etc to tip you over the edge to give you the answer but sometimes (and this is such a case) you are completely justified in marking post No 2 (yours) as the solution.
Marking a solution helps others find the information they need and weights results of searches.

Thanks for the tip, I will have a play.

One of my (1109) entities is a sensor, that tells me how many entities I have (did I mention that I’m recursively OCD ? :rofl: )

  - platform: template
        friendly_name: Entities
        value_template: "{{ states | count }}"

But you could just enter it into the template editor to get a current count : -

{{ states | count }}  {# as you'd expect :rofl: #}

But because I’m analy retentive I keep a card full of this stuff (its amazing the changes you see when you change an approach strategy, eg moving to binary sensor for triggers and then how that effects CPU usage etc.) : -

Hi Mutt,
thanks for the hint! Forgot that and marked the solution :slight_smile:

While trying to put my modem into bridge mode i found the 443 port information in a Hungarian telecom forum in Hungarian language. (device is provided by telecom Hungary). So it made no sense for me to link it…

That’s brilliant, and persistent, and determined.
I assume you just browsed with Google translate turned on (all the timen and we all know how mangled that can be at times) ?
Regardless you can hardly mark another website as the solution.
Still you posted what you found back, good for you.

:innocent: google translate and some hungarian language skills …