DuckDNS - Let's Encrypt - Once Again

Hi All,
Appologies for taking this thing up again, but I cant find a solution in other posts. I suspect that some changes have happened, that have not been included in the documentation/solutions that have been working for others.

My situation is as follow:

My port forwarding seems to work fine as I am able to connect to hassio from an external unit with:

• http://MYDOMAIN.duckdns.org:8123
• http://PUBLICIP:8123
  Internally I am able to use both of the above and the local IP.
  But, https does not work on either of them.

I have the following on my DuckDNS addon:
{
“lets_encrypt”: {
“accept_terms”: true,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
},
“token”: “token-number”,
“domains”: [
“MYDOMAIN.duckdns.org”
],
“seconds”: 300
}

I have added the following to my config file:
http:
base_url: MYDOMAIN.duckdns.org:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

What am I missing to get this thing to work?

I have tried the following, but not limited to:

• Deleting cookies in my chrome browser
• Adding https in my configi/duckdns add-on in both and in each of them separately
• Removing the port forwarding on 8123 (with 443 open). Everything works as before, but no https.

Any ideas?

Does your ISP block any incoming ports?

I had to specifically request 443 be unblocked.

Good Question.
I think the answer is no as I’m able to access HA on this port from an external device.

If you are using http instead of https you are not using port 443.

Ok, I can access my HA on http:\mydomain.duckdns.org:443 ,but this does not mean that it is open ?
If it was I should be able to use Https as well?

Can I change the port number to whatever I want, or will I have to contact my ISP to get this fixed to use let’s encrypt?

Cheers

Are the keys available at /ssl?

What does the add-on say about generation of the keys?

What ports have you forwarded? They should all be closed by default.

Does not look too promising:

# INFO: Using main config file /data/workdir/config
+ Account already registered!
Wed Nov 28 07:56:11 UTC 2018: KO
# INFO: Using main config file /data/workdir/config
Processing MY-DOMAIN.duckdns.org:8123
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)
Details:
HTTP/1.1 100 Continue
Expires: Wed, 28 Nov 2018 07:56:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 142
Boulder-Requester: 46576249
Replay-Nonce: sad7Uu5b6w0PV4bbYC_M7INn5qFf2jEID5AesiqeM_4
Expires: Wed, 28 Nov 2018 07:56:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 28 Nov 2018 07:56:36 GMT
Connection: close

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Error creating new order :: Invalid character in DNS name",
  "status": 400
}
Wed Nov 28 08:01:38 UTC 2018: KO
Wed Nov 28 08:06:39 UTC 2018: KO
Wed Nov 28 08:11:40 UTC 2018: KO
Wed Nov 28 08:16:41 UTC 2018: KO

My dns name does not hold anything else than alphabetic characters

Ok. So i have made some progress, i think…
I generated a new domain on Duckdns, deleted the add-on, installed it again and set it up with the new domain. I also forwarded port 80 to 80 on my router, as I realized that this was not open during the last install.

This is the readout from the add-on now:

# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Done!
Thu Nov 29 09:47:18 UTC 2018: OK
IP_ADDRESS   NOCHANGE
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing sonvin-smarthus.duckdns.org
 + Creating new directory /data/letsencrypt/my-domain.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for my-domain.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for my-domain.duckdns.org authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
Thu Nov 29 09:55:46 UTC 2018: OK
IP-ADDRESS
NOCHANGE
Thu Nov 29 10:00:47 UTC 2018: OK
 IP-ADDRESS
NOCHANGE
Thu Nov 29 10:05:48 UTC 2018: OK
 IP-ADDRESS
NOCHANGE

So, there are no error messages from what I can see?
Still not able to access via https://
http://my.domain.duckdns.org:port is still possible

Try and forward 443 to 8123. Then access your duckdns domain with https:// and without port numbers.

I already am forwarding 443-8123
And not using port number when trying to reach address…

Am I supposed to have Https:// in front of the URL in my config?

No, your config from the first post looks fine.

Can you ping your duckdns domain from external and does it resolve correctly to the right IP address?

For port forwarding, you will only need 443>8123. If that all done, you should be able to access your HA by https://mydomain.duckdns.org. If this doesn’t work, confirm the location of your SSL certs.

You have to temporarily enabled port 80 on your firewall until the cert is generated the first time. I recently learned about that I was researching on this same issue this week. BRUH Automation has a great video on this - https://youtu.be/BIvQ8x_iTNE

After it’s generated, disable port 80 and hope this helps!

Where should I find these certificates?