Okay, I know that it really is a bunch of awesome people and the kindness of forum members is astonishing just by their time and effort (notable mentions to finity, nexus and Petro). And I realise that the documentation has just had a major prune to get rid of some very old legacies but …
Why can’t we get DuckDNS to work ?
I’ve done the install 16 times since Friday (5 days) and no joy at all, I’ve tried ALL the recent guides and Nexus’s guide seems closest but no longer with a cigar.
I may be stupid but I have some assumptions :-
- That https by default runs via port 443
- That installing DuckDNS, it automatically installs and uses letsencrypt (though you have to accept terms for it)
- Lets just assume I’ve allowed port forwarding of ALL necessary ports (many argue about which ones and to what) AND that I’ve created a DuckDNS account and have made note of the api key (token)
- That if you type the address https://mydomain.duckdns.org it will set up an encrypted link between your external input device (phone/tablet/computer from a given external location) and duckdns.org (this should default to port 443)
- DuckDNS then forwards a similarly encrypted link (through your modem/router) to your private network Home Assistant installation using your public key and does it, also on port 443
- Your HA has your private key and decrypts the link, presumably because it also arrives on port 443 (I know you ‘could’ use other ports but the above is the cleanest most sensible way to approach this, though some may make the argument that screwing with this would make it harder for an attacker to guess)
- From this, it seems that if your HA recieves a request on port 8123 (from the same class C network), it responds in clear. if on port 443 it checks the encryption and responds using the public/private keys (Though as my browser doen’t know the keys then it may not work on my local LAN).
- This allows simple connection from your LAN and a more secure connection via duckdns
- Your router knows nothing about the public/private key pair and would have to rely on SSL TSL using public certificates and encryption protols - So let’s ignore this
- ALL of the guides I’ve read do not seem to cover this and generally ask you to forward 443 traffic to port 8123 - eh ! why ? Surely it should just forward 443 to 443 on your HA ???
Okay, so you want to install DuckDNS, so goto your Hassio add ons and install it.
It basically says :- “Install It” - make your config (in the add on config, not your configuration.yaml) “look like this example”
Nowhere does it say ‘what ports you should be using and/or redirecting’
But it does say for more info go to :- https://www.home-assistant.io/addons/duckdns/
By the way the log result of the above (with just 443 redirected to 443 is :-
INFO: Using main config file /data/workdir/config
- Generating account key…
- Registering account key with ACME server…
- Fetching account ID…
[12:55:44] INFO: OK
xxx.xxx.xxx.xxx [my external IP]
INFO: Using main config file /data/workdir/config
- Creating chain cache directory /data/workdir/chains
- Creating new directory /data/letsencrypt/mydomain.duckdns.org …
- Signing domains…
- Generating private key…
- Generating signing request…
- Requesting new certificate order from CA…
- Received 1 authorizations URLs from the CA
- Handling authorization for mydomain.duckdns.org
- 1 pending challenge(s)
- Deploying challenge tokens…
OK + Responding to challenge for mydomain.duckdns.org authorization…
- Challenge is valid!
- Cleaning challenge tokens…
OK + Requesting certificate…
- Checking certificate…
- Creating fullchain.pem…
Okay, so I’m good to go ?
Well I can access via 8123 on local network : - )))))
But on https://mydomain.duckdns.org It starts (blue header) but then just gives me
So it seems to be bouncing off at my HA installation and even shows me that it’s trying to get to HA with the little logo and message : - ((((( .
Okay, so lets go to the Duck DNS Page as listed on the Add on at : https://www.home-assistant.io/addons/duckdns/
It generally agrees with the above but then states :-
Use the following configuration in Home Assistant to use the generated certificate:
http: base_url: https://my-domain.duckdns.org:8123 ssl_certificate: /ssl/fullchain.pem ssl_key: /ssl/privkey.pem
If you use a port other than
8123 or an SSL proxy, change the port number accordingly.
It also warns that from now on you will HAVE to use https to access HA (okay … not a deal breaker …)
It also says that to generate cetificates by adding : -
AND presumably this goes in the add on config as per the previous (doesn’t actually say). What this is for I’ve no idea, what sub-domains of my subdomain of duckdns.org ??? So lets leave this for the moment and I’ll change my port to 443 to be consistent … reboot …
Enternal connection … no joy, doesn’t matter if its without a port, or with 80, 443 or 8123 just unable to connect
Internal, no joy either unless I go https://internal ip address:8123/ and then is says Privacy Error AND it put a line through the https bit.
Call me paranoid - but is someone really trying to make this difficult ?
Okay, next a search for duckdns gets me :- https://www.home-assistant.io/docs/ecosystem/certificates/lets_encrypt/#3---set-up-a-duckdns-account
There’s a lot of information here but the newest titbit is : -
access_token: abcdefgh-1234-abcd-1234-abcdefgh [this is just example data, correct for your installation, note: no quotes shown]
Put this in your configuration.yaml and reboot …
Oh wait I can’t get at my HA installation in order to reboot, good job I installed SSH
So, one “/sbin/reboot” later and …
… no joy
Lets add the sub domain of mydomain … and reboot
Oh wait, now SSH doesn’t work !
Go back to an earlier back up and start again …
I’ve done the above for various ports and port forwarding configurations and have reached the end of my tether.
There should be one page for the configuration requirements for the Add On, It should cover ALL required config details and preferably explain why for each, it should then detail any issues that could arise and what the likely cause of those issues are.
What am I missing ?
Then again, maybe I’m stupid