DuckDNS - It's not just me - it's you!

If you tap default has there been any change to the format of the configuration at all? There was another poster with an issue today but he had accept terms false as soon as he corrected that it worked so the addon seems ok… ie it’s something specific to you
https://community.home-assistant.io/t/duckdns-certificate-not-trusted-expired/288273/10?u=davidfw1960

Where did you get the token ?

Ie was it properly generated by duckdns or did you just make up your own ?

Hi @Mutt, I got it from DuckDNS, I just obfuscated for the post.

Thanks @DavidFW1960, I copied the config from the post you linked and it worked! Wow I have no idea why the config pages do not have any error handling (makes it so hard to new users to work out). How would I give feedback to the dev team to look at making these easier for others in the future?

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: 4a20bbc3-####-####-####-bb3dac709fb9
domains:
  - m###.duckdns.org
aliases: []
seconds: 300

If it won’t save the config 100% an error but not real helpful I agree

That’s why so many of the solution threads contain ‘examples’ of what worked.
Including the solution post in this thread.

Did you observe any major departures from this solution ? (ie do I need to update this thread to contain a new nugget of information or has the configuration requirements changed ?)

Edit: looking at your two posts the difference between the config entries escapes me. What is the difference ?

Yeah, strange to me.

The Diff that I can see is

accept_terms: false

instead of

accept_terms: true

and as @anon43302295 said, I was missing

aliases: []

I think overall, I found it hard to understand why the error I got when I first installed the plugin says I have to enter my token, which I did but then it won’t save. I knew from other guides I had to also update the “accept_terms” and “domains”, but I most of been getting an error, but never knew.

To be honest @Mutt I really thought I had an issue with the file not being able to be written too as I tried changing many of the sections and every time it just went back to default (I know now it was just an error, just that the UI does not report that to the user). So I never knew to try to copy other configs here.

Thanks all

Marc, I checked with the solution post above (which I and many others have used successfully to configure external access) and it DOES NOT contain such a key.
[Preparing to get on my high-horse]
I then looked at what the configuration is on my live (production) instance AND it DOES contain said key.
This thread was updated fairly recently so it appears that the syntax checking/requirements have moved on since then.
My thanks to you, David and @mgguinne for bringing this to my attention.
I will update the solution above with this information (probably in a couple of hours, to ensure readability/flow of the edits etc.)
Cheers

Yeah, it is ‘fairly’ recent, and tbh it messes with my OCD because we shouldn’t have to include optional keys. It’s also a pain because if you’ve previously had a configuration that’s been working fine you’re not required to change it, but as soon as you try to edit it you can’t save it until you add all the previously omitted optional keys.

So of course that makes it worse in my eyes because clearly the addons can physically run without the optional keys being included, it’s just that the configuration validator is over zealous.

But meh, at least we all know :slightly_smiling_face:

2 Likes

Great config guide, and can confirm everything works as of today (20210426).

But one question, if I comment out per the above, which is step #12, does that mean I would not be able to use ip_ban any more?

# setup ip ban
http:
  ip_ban_enabled: true
  login_attempts_threshold: 5

Or maybe there’s an elegant way to handle ip ban (or similar), now that I have NGINX?

I haven’t used ip ban but I looked it up and it does just what it says on the tin.
It ban an ip address (or range of addresses) why would you need that unless you have a persistent attacker who always uses the same address ?
Ngnx only allows (externally) people addressing your duckdns address and using your ssl encryption key (that’s about as secure as your bank).
Internally, it allows non secure connection direct to the 8123 port, but if you have an attacker on the inside of your network, then you have already lost the war.
I don’t understand what you are trying to achieve.

With some testing, it turns out one only needs to comment out these to avoid conflicts on certs.
image
System would still work just fine with the other arguments (e.g. ip ban) under http: config

My system works fine with ip bans as you show and no ssl under http

Hi all. After long time of smooth usage Nginx+DuckDNS I’ve changed internet provider and router. Since that there is no way to connect from the “outside”
All configs remained untouched, just different IP address registered by DuckDNS.
I have no problems from local network.
Ports are forwarded on the new router in the same way as on the previous one.
DuckDNS seems to be ok,
log:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[07:58:49] INFO: OK
xxx.yyy.172.9zz
NOCHANGE

config: (tested with both accept_terms: false/true)

lets_encrypt:
  accept_terms: false
  certfile: fullchain.pem
  keyfile: privkey.pem
token: my_valid_token
domains:
  - my_name.duckdns.org
aliases: []
seconds: 300

Nginx works as well
log:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[07:19:25] INFO: Running nginx...

config:

domain: my_name.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
  active: true
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

configuration.yaml

http:
  ip_ban_enabled: true
  login_attempts_threshold: 3

Any idea what is wrong?

Taking you at your word (that you have changed nothing but the ISP and the router) I assume you are able to connect to the Internet okay ?
The only things I can think of (from the top of my head) are : -

  1. Your new ISP is employing CG NAT (NAT layering) so your ‘ip address’ is not an ip address on the internet but an ip address within your isp’s Clent network. The only way you can check is (because asking client services will be a waste of time (“he’s asking a question that isn’t on my script” but you may get lucky) ) is to try to ping it from an external source (say your phone via phone data services) and then checking your router logs.
  2. Another possibility (though I would guess much less likely) is that your ISP could be using ipv6 and there’s been a mistranslation somewhere (does your router show a v6 external address?)
  3. Unless you can engage with your ISP to find a solution, Nabu casa may be your only hope as the communication works differently (not studied it but I think it’s all instance initiated (anyone knows to the contrary please correct me) )

I’m about to transfer ISP myself in about a week, so issues like this are a (major) concern.
Let us know how you get on
Good Luck

I guess that I’ve identified the cause
ISP is not providing the public IP ( it is a paid service ) Previous one was slower but with public IP provided.
Now I hesitate between public IP and NabuCasa.

Do they give you IPv6 because that will work… you will need to config your router for it though.

I was not asking them yet. Assuming that public IP I would receive will be IPv4.
Router has an IPv6 option.

Many ISP’s that use CGNAT also supply IPv6 for free and it’s often a /56 static assigned. Certainly for me in Australia we get a /56 static (even with non CGNAT IPv4). So it’s worth asking the ISP if they allocate IPv6 as if they do it’s easy to use for HA.

1 Like

Hello all

I read through this and i configured the addon, duckdns my router (asus rt ac87u that asus support tells me that my port forwarding is correct) as mentioned here in this page

yet for the pas 2 week i am not able to access my HA through duckdns

I tried http:// and https://my domain.duckdns.org alone and with ports 8123 and 443
and tried in the same way http and https with my duckdns IP. to no avail

I cannot reach it from my android phone either

I am at lands end I

What am i missing

thank you for your time and all the support