DuckDNS - It's not just me - it's you!

Okay, I know that it really is a bunch of awesome people and the kindness of forum members is astonishing just by their time and effort (notable mentions to finity, nexus and Petro). And I realise that the documentation has just had a major prune to get rid of some very old legacies but …
Why can’t we get DuckDNS to work ?
I’ve done the install 16 times since Friday (5 days) and no joy at all, I’ve tried ALL the recent guides and Nexus’s guide seems closest but no longer with a cigar.
I may be stupid but I have some assumptions :-

  1. That https by default runs via port 443
  2. That installing DuckDNS, it automatically installs and uses letsencrypt (though you have to accept terms for it)
  3. Lets just assume I’ve allowed port forwarding of ALL necessary ports (many argue about which ones and to what) AND that I’ve created a DuckDNS account and have made note of the api key (token)
  4. That if you type the address https://mydomain.duckdns.org it will set up an encrypted link between your external input device (phone/tablet/computer from a given external location) and duckdns.org (this should default to port 443)
  5. DuckDNS then forwards a similarly encrypted link (through your modem/router) to your private network Home Assistant installation using your public key and does it, also on port 443
  6. Your HA has your private key and decrypts the link, presumably because it also arrives on port 443 (I know you ‘could’ use other ports but the above is the cleanest most sensible way to approach this, though some may make the argument that screwing with this would make it harder for an attacker to guess)
  7. From this, it seems that if your HA recieves a request on port 8123 (from the same class C network), it responds in clear. if on port 443 it checks the encryption and responds using the public/private keys (Though as my browser doen’t know the keys then it may not work on my local LAN).
  8. This allows simple connection from your LAN and a more secure connection via duckdns
  9. Your router knows nothing about the public/private key pair and would have to rely on SSL TSL using public certificates and encryption protols - So let’s ignore this
  10. ALL of the guides I’ve read do not seem to cover this and generally ask you to forward 443 traffic to port 8123 - eh ! why ? Surely it should just forward 443 to 443 on your HA ???

Okay, so you want to install DuckDNS, so goto your Hassio add ons and install it.
It basically says :- “Install It” - make your config (in the add on config, not your configuration.yaml) “look like this example”
Nowhere does it say ‘what ports you should be using and/or redirecting’
But it does say for more info go to :- https://www.home-assistant.io/addons/duckdns/
By the way the log result of the above (with just 443 redirected to 443 is :-

INFO: Using main config file /data/workdir/config

  • Generating account key…
  • Registering account key with ACME server…
  • Fetching account ID…
  • Done!
    [12:55:44] INFO: OK
    xxx.xxx.xxx.xxx [my external IP]
    UPDATED

INFO: Using main config file /data/workdir/config

  • Creating chain cache directory /data/workdir/chains
    Processing mydomain.duckdns.org
  • Creating new directory /data/letsencrypt/mydomain.duckdns.org …
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • Received 1 authorizations URLs from the CA
  • Handling authorization for mydomain.duckdns.org
  • 1 pending challenge(s)
  • Deploying challenge tokens…
    OK + Responding to challenge for mydomain.duckdns.org authorization…
  • Challenge is valid!
  • Cleaning challenge tokens…
    OK + Requesting certificate…
  • Checking certificate…
  • Done!
  • Creating fullchain.pem…
  • Done!

Okay, so I’m good to go ?
Well I can access via 8123 on local network : - )))))
But on https://mydomain.duckdns.org It starts (blue header) but then just gives me
Unable%20to%20connect%20to%20HA
So it seems to be bouncing off at my HA installation and even shows me that it’s trying to get to HA with the little logo and message : - ((((( .

Okay, so lets go to the Duck DNS Page as listed on the Add on at : https://www.home-assistant.io/addons/duckdns/
It generally agrees with the above but then states :-

Use the following configuration in Home Assistant to use the generated certificate:

http:
  base_url: https://my-domain.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

If you use a port other than 8123 or an SSL proxy, change the port number accordingly.

It also warns that from now on you will HAVE to use https to access HA (okay … not a deal breaker …)
It also says that to generate cetificates by adding : -
{

“domains”: [“my-domain.duckdns.org”,"*.my-domain.duckdns.org"],

}
AND presumably this goes in the add on config as per the previous (doesn’t actually say). What this is for I’ve no idea, what sub-domains of my subdomain of duckdns.org ??? So lets leave this for the moment and I’ll change my port to 443 to be consistent … reboot

So …
Enternal connection … no joy, doesn’t matter if its without a port, or with 80, 443 or 8123 just unable to connect
Internal, no joy either unless I go https://internal ip address:8123/ and then is says Privacy Error AND it put a line through the https bit.
Call me paranoid - but is someone really trying to make this difficult ?

Okay, next a search for duckdns gets me :- https://www.home-assistant.io/docs/ecosystem/certificates/lets_encrypt/#3---set-up-a-duckdns-account
There’s a lot of information here but the newest titbit is : -
duckdns:
domain: examplehome
access_token: abcdefgh-1234-abcd-1234-abcdefgh [this is just example data, correct for your installation, note: no quotes shown]
Put this in your configuration.yaml and reboot …
Oh wait I can’t get at my HA installation in order to reboot, good job I installed SSH
So, one “/sbin/reboot” later and …
… no joy
Lets add the sub domain of mydomain … and reboot
Oh wait, now SSH doesn’t work !
Go back to an earlier back up and start again …

I’ve done the above for various ports and port forwarding configurations and have reached the end of my tether.
There should be one page for the configuration requirements for the Add On, It should cover ALL required config details and preferably explain why for each, it should then detail any issues that could arise and what the likely cause of those issues are.
What am I missing ?
Then again, maybe I’m stupid

Sorry, Should also say I’m on HassOS 2.12 And Home Assistant 0.97.2

If you use the NGINX addon, that handles the port changes and you can use both https and http.
I use http://hassio.local:8123 within the home network and https://xxx.duckdns.org (note: no port specified) from outside.
I have no http: section in my configuration.yaml

I’m fairly sure this setup info came from a Dr Zzzs video about setting up Google Assistant without Nabu Casa (not that I ever managed that, but I did get https working)

There is. You listed it. https://www.home-assistant.io/addons/duckdns/

I followed it and it worked… once I sorted out a non NATed IP address from my ISP.


That is because the SSL certificates are generated for the duckdns address, not the IP address. Your browser is (rightly) warning you about this but you have the option of ignoring it and proceding if you know the IP address to be safe.

This is not what the page says.

It says:

Generate Let’s Encrypt certificate for Duck DNS sub sub domains

Sub sub domains. You don’t have one? You don’t need this.

There are many reasons duckdns might not work.

Does your router support nat-loopback (required if using the duckdns address inside the local network)?
Does your ISP block any incoming ports (this may prevent duckdns form working)? Quite a few do.
Does your ISP use CGNAT (this will prevent duckdns form working)?

I know it can be frustrating and it can be difficult to diagnose remotely. Please don’t take this the wrong way but perhaps you would be better off with Nabu Casa?

It’s not free (after the trial) but it does support the developers and it is a lot easier to set up. There’s also the bonus that voice assistants are a lot, lot easier to use as well.

HTTPS traffic typically uses port 443 but it doesn’t have to use port 443. You can use any unreserved port (like 8123). In this case, you need to forward your external port to 8123 because HA isn’t listening on 443. It is listening on 8123. If you’ve configured HA for SSL, then that traffic on that port will be HTTPS. Otherwise it will be standard HTTP.

You can forward port 8123… but you would have to remember to specify the port every time you connect to HA:

https://your_domain.duckdns.org:8123

If you want to set this up so LAN traffic doesn’t need to hit the WAN interface, you can set up an internal DNS entry but then you need to either:

  • manually specify the port internally (like the example above)
  • set up a reverse proxy (like NGINX) to handle the port forwarding (in this scenario, you would forward external 443 to the reverse proxy then use the proxy to forward 443 to 8123).

I have found that once SSL is set up in HA you can no longer connect to the web interface using non SSL. To get around this, I keep HA on a non SSL configuration and use the NginX reverse proxy add-on to forward SSL connections to the non SSL configured HA.

Only issue I have found is that when the cached certificate runs out in my browser, I can’t connect. Even though the certificate has been renewed by the add-on. This has happened on the last 2 renewals.

Steve,
Thanks for responding, do you mean the “Nginx Proxy Manager” community add on ?
I searched for Dr Zz and got https://www.youtube.com/watch?v=fqi_p15eI8A
watching it now …
Well it’s an hour and a half long chat which touches upon nginx but only in passing and they didn’t get it up and running. Also nginx has moved on from that point (in the video) and it doesn’t give you sample config. I typed the whole of the sample (from the video) into the config, saved it, and the config disappeared. I noticed that there was now an “Open WEB UI” link on the Add On, I clicked it and it demanded an email address and a password. Assuming that this was ‘entry for new user’ I filled it in and it told me no such user could be found. I can’t find any information on a default user (presumably so I can log in and then change it to my details) but can’t get any further. A shame because nginx sounds perfect. Support also seems a bit lacking.
Any further information you can give on this would be brilliant.
Thanks in advance

Tom,
I went through the guides in the order I listed them.
I followed each to the letter and then permutations therof, it didn’t work.
Okay I precised this in my text and esentially there is little difference unless I have missed the point … dunno !
I was not using my router, I was using my phone, with wifi turned off
Blocking ports - no, see where it connected to the HA instance but refused entry ?
CGNAT, - dunno, don’t think so as see above.
Nabu Casa - No, and I don’t take it the wrong way. I simply want to make work a component that ‘should work’ and instead seems broken at a fundamental level.
I thank you for your time in responding, but if they don’t want DucksDNS to work - why list it as a standard Add On ? They could just incorporate the necessary bits into whatever other components need it.
Ditto on the no offense thing.
Again any errors I make please point out so I (and others) can learn from this
Cheers

Crhass,
Very, Very, Very Interesting.
As I said in my response to Steve nginx looks to be the panacea to connection issues
I’ve looked for guides or cofiguration information but have failed abysmally
If you would be so kind as to write up how to set up and use nginx in a similar level of detail as I did above, I (and I’m sure, may others) would be forever in your debt
Thanks in Advance

Bryan,
Sorry for not responding in order of posting.
Again, very interesting - I’ll play with this over the next couple of days.
Even though I’m repeating myself I love the idea of nginx, we just need someone to write it up
You deserve more words than this but it is summarised by “Thanks”
Cheers

Its the ‘NGINX Home Assistant SSL Proxy’ in the official addons. This has a simple config page and no Web UI. My configuration is:

{
  "domain": "xxx.duckdns.org",
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "hsts": "max-age=31536000; includeSubDomains",
  "customize": {
    "active": false,
    "default": "nginx_proxy_default*.conf",
    "servers": "nginx_proxy/*.conf"
  }
}

My DuckDNS config:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "private token",
  "domains": [
    "xxx.duckdns.org"
  ],
  "seconds": 300
}

Just those 2 addons handles the SSL just fine.

Edit to add: That was the video, the relevant parts are between 34 - 38 minutes.

Steve,
Sorry got confused with the community add on.
Thanks for this, I will play with this tomorrow, if its as simple as you say, ten minutes, but if necessary… 4 hours : - )))
Cheers
Mutt

Jason, any and all thoughts/contributions welcome.
Some threads have hidden gems and yours might have been one such
Mutt

I used this guide to setup the proxy.

https://help.konnected.io/support/solutions/articles/32000023964-set-up-hass-io-with-secure-remote-access-using-duckdns-and-nginx-proxy

1 Like

Just setup mine not 5 minutes ago with JeanMtech videos on YouTube guide and works 100%

http:
  base_url: https://my-domain.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

should be instead:

http:
  base_url: https://my-domain.duckdns.org
  server_port: 8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Keith,
Not sure I like or want that, as there is no way to access your HA instance if your internet (or duckdns) is down
i.e. you always need to come in from duckdns.org
OR just keep changing your config : - \\\

There are some incorrect assumptions here. I’ll try to clarify.

  1. DuckDns simply provides a DNS alias (or “A”) record that can be dynamically updated via a small script that you run on some machine behind your non-static IP. This DNS alias will be reasonably up-to-date with your current IP. There is a DNS lookup involved, but there is no traffic that DuckDns relays to your local HA instance.

  2. Let’s Encrypt provides a certificate so that you can use HTTPS. If you configure HomeAssistant to use a certificate you created with your DuckDns domain name, then that is now the only way you can connect to that HomeAssistant instance – no longer by IP address, since there is no longer an HTTP way to get to it.

  3. The public/private key stuff is all handled by negotiation between the web server and your browser. We don’t really need to get into this level of detail.

  4. Port 443 is the default HTTPS port, like 80 is the default HTTP port. You don’t need to use the default port, it’s just the simplest thing to do. You mentioned exactly this.

  5. Regarding point 2. The reason some people (myself included) have configured the NGINX reverse proxy to use their let’s encrypt certificate rather than HA itself is so we can have the best of both worlds – From the internet side of things, I get an HTTPS-exposed service (NGINX) that does the decryption of the HTTPS data, and forwards it onto my internal HA instance on (unencrypted) port 8123. There’s lots of documentation on how to set up NGINX to do this. Everything inside my house is HTTP, but everything exposed to the internet is HTTPS. DuckDNS and Let’sEncrypt are completely de-coupled from Home Assistant.

2 Likes

Renier, Thanks but I watched Juan’s video and it just showed the DuckDNS part, nothing about nginx
As I said earlier, I don’t want to switch off local access and I don’t want to have to keep changing my config.
Sorry but it didn’t help
Thanks anyway
Mutt

Did you try the guide I posted the link too?