DuckDNS: how to solve ERR_SSL_PROTOCOL_ERROR

Hi,
duckDNS is installed and it works fine, no errors so far. This is duckdns config:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: XXXXX-77bf-44a5-XXXXX-XXXXXXX
domains:
  - ottoha.duckdns.org
seconds: 300

These are the configuration.yaml lines:

http:
  base_url: https://ottoha.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

There is no space (blank) before “http:”

I opend up the following ports on my router:
8123>Raspberry pi IP>8123
443>Raspberry pi IP>8123
80>Raspberry pi IP>80

From my pc if i use 192.168.1.190 (raspberry pi IP) via browser it works just fine.
If i try https://ottoha.duckdns.org:8123 i get the ERR_SSL_PROTOCOL_ERROR

I have no idea how to sort it out. Suggestions? Thank you!!

What does the add-on log say?

That’s what i read right now from add-on log:

[16:05:44] INFO: OK
93.42.111.209
NOCHANGE
[16:10:45] INFO: OK
93.42.111.209
NOCHANGE
[16:15:47] INFO: OK
93.42.111.209
NOCHANGE
[16:20:48] INFO: OK
93.42.111.209
NOCHANGE
[16:25:49] INFO: OK
93.42.111.209
NOCHANGE
[16:30:50] INFO: OK
93.42.111.209
NOCHANGE
[16:35:51] INFO: OK
93.42.111.209
NOCHANGE
[16:40:53] INFO: OK
93.42.111.209
NOCHANGE
[16:45:54] INFO: OK
93.42.111.209
NOCHANGE
[16:50:55] INFO: OK
93.42.111.209
NOCHANGE
[16:55:56] INFO: OK
93.42.111.209
NOCHANGE
[17:00:58] INFO: OK
93.42.111.209
NOCHANGE
[17:05:59] INFO: OK
93.42.111.209
NOCHANGE
[17:11:00] INFO: OK
93.42.111.209
NOCHANGE

Please format your code properly (mainly just the http: portion). Use three backticks (```) above and below the code.

Please restart the add-on and than copy over the log. Since in the start it gives information about issues or troubles it has.

I had the same problem.
the issue was http: written twice.

Continuing the discussion from DuckDNS: how to solve ERR_SSL_PROTOCOL_ERROR:

how were you able to resolve the ssl protocol error? I am having the same issues currently.

2 Likes

Just ran into the same issue myself.
My modem/router got reset (lost forwarding rules, password got reset, etc.) or something after my ISP logged into it to troubleshoot some other issue. After this, I started getting the This site can’t provide a secure connection: ERR_SSL_PROTOCOL_ERROR when trying to access my HA using https://****.duckdns.org.
I can access HA locally by using <localIPAddress>:8123.

Forwarding rules (both to the IP-address of my Pi running HA):

External:    Internal:
443          8123
80            80

I have tried forwarding 8123->8123 and installed only DuckDNS with LetsEncrypt both disabled and enabled, then tried to access HA using http://****.duckdns.org:8123 and https://****.duckdns.org:8123, with the same result.
I have also re-installed both DuckDNS and NGINX step by step, without any luck. Even removed the certfiles in the ssl-folder when re-installing the add-ons, and had a lot of restarts of both HA and the Pi itself.

configuration.yaml (relevant parts):

homeassistant:
  auth_providers:
    - type: homeassistant
    - type: trusted_networks
      trusted_networks:
        - 192.168.100.0/24

http:
  use_x_forwarded_for: true
  trusted_proxies: 127.0.0.1

And no, there’s no stupid mistake with a rouge space in front of http or it being declared twice, etc.

DuckDNS add-on configuration:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: ******
domains:
  - ****.duckdns.org
aliases: []
seconds: 300

NGINX add-on configuration:

domain: ****.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

As I am terrible regarding the difference between Docker, HassOS, and Hass.io I will just include some info displayed under the info screen in HA (omitting what I do not think is important):

System Health
Version	0.118.3
Installation Type	Home Assistant OS
Development	false
Supervisor	true
Docker	true
Virtual Environment	false
Python Version	3.8.6
Operating System Family	Linux
Operating System Version	4.19.127-v7
---------------------------------
Hass.io
Host Operating System	HassOS 4.17
Update Channel	stable
Supervisor Version	2020.11.0
Docker Version	19.03.12
Board	rpi3

This setup has worked for me without any issues before my modem got reset, and I have no clue how something like this just breaks without me touching any settings.
I would be very happy to take suggestions if there is anyone out there who may have an idea as to why.
I should also add that I have cleared the cache and deleted any page data that may have been stored in my browser.

edit:
Forgot to mention that I get this message in the Core log in HA whenever I try to access HA using https://****.duckdns.org:

2020-11-26 18:17:57 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/aiohttp/web_protocol.py", line 314, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp/_http_parser.pyx", line 546, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message="Bad status line 'invalid HTTP method'"

edit2:
So it seems I managed to fix the problem by adding:

ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

to the http: of my configuration.yaml. I still find it weird that it used to work without those lines before, but now I suddenly had to add them…

edit3:
I’m stupid, it didn’t fix the problem, it just “moved” it. Now I cannot use the app, as I need to add https:// if I want to access HA using the local IP, and then I need to manually click “Proceed to website” as it is considered unsafe. This does not work in the app and makes the app unusable while on the local network.

To anyone who might encounter this issue in the future:
After many hours of trying to fix this, I got help from a fellow, helpful user on Discord.
Turned out I had to forward 443->443 instead of 443->8123.
Quite an easy fix, but something I hadn’t tried and I don’t think that was how I had it before, but it works, so I’m happy!

9 Likes

Amazing! I have struggled for many nights to fix this and was about to give up. This simple solution did the trick for me also!

1 Like

I’m still struggling with this.
I’ve port forwarded on my router:
80 → 80
443 → 443
8123 → 8123

My (sanitised) config is:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: <sanitised>
domains:
  - <sanitised>.duckdns.org
aliases: []
seconds: 300
http:
  base_url: https://<sanitised>.duckdns.org
  server_port: 8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Anyone have any ideas what else might be wrong or what I might be missing?

I can access my HASS via HTTP://.duckdns.org. If I port forward 443 to 8123, HTTP://.duckdns.org:443 works too. But obviously I don’t want to leave it unsecured…

I was struggling for months.
Thank you.
This should be written in those documentation!

1 Like

change your http config like this

http:
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem
# server_port: 8123
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

then config your external access with your host (without port)
external access: https://hello.duckdns.org
internal access: http://homeassistant.local:8123

last thing, config ngix addon with your host (no ports again)

1 Like

When a browser shows the Err_ssl_protocol_error, it indicates the browser is no longer able to access or initiate the secured communication. There is no definite guide for managing this error. Follow given steps to resolve this error from Client side:

  • Try correcting the system date and time.
  • Try clearing Google Chrome browsing data.
  • Try clearing your SSL State.
  • Try disabling the QUIC Protocol.
  • Try checking your antivirus settings.
  • Try enabling all SSL/TLS versions.

Also, this error is because of the following server side problems:

  • Invalid SSL or SSL is untrusted (self-signed)
  • SSL Not installed properly
  • Old Technology or SSL/TLS version for encryption

Here’s my fix, any it might not be the same for everyone else, but its unbelivabley stupid…

I had all sorts of ports open, some worked, some didn’t. Plex and VNC worked, Home Assistant Didnt.

I had Ext8123 to Int8123 and Ext443 to 8123 also.
Everything else was followed by numerous tutorials and had worked before, just not after i updated HA and my router…

Try accessing your duckdns address from your browser but make sure its in private mode. Worked for me. Probably some cached files or bad histroy. Maybe if you dont want to access it in private mode delete these history files.

See if that works for anyone else.

Update: I don’t know if that was the problem. It works but only from http, isnt it suppose to to https?

1 Like

dude you just saved me hours most likely. lol. thanks

1 Like

The problem for me was the cache. I tested in private navigation and I could access everything, but in my regular browser I would get the ERR_SSL_PROTOCOL_ERROR message.

Simply clean up your cache and should be good to go!

1 Like

A year and a half later, and still helping folks with this answer!

I was struggling to get both internal http and external https working consistently (internal for playing local media over a Muse Proto speaker via SlimProto Player integration, and external for remote access to HA instance), and was pulling my hair out due to only one or the other working, but changing the port forwarding at the router solved the issue for me. Makes sense, when I think about it, since the add-on is an SSL proxy, but I would not have figured it out without your post.

Thanks!

1 Like