DuckDNS Setup Issues with SSL, Hassio Ver. 0.94.4 On a RP3

chad01 · July 2, 2019, 1:02am

It’s been about 3-weeks of struggling in the evenings to get DuckDNS configured so I can use an SSL connection. I’ve poured over countless other posts with issues that were related to what turned out to be simple configuration issues with either Configuration.yaml file or DuckDNS configuration. I can’t seem to find any commonalities in my case, so some help would be greatly appreciated. When installing DuckDNS, I get confirmation in the DuckDNS log that it completed successfully and can see the public and private key files located in my /ssl directory on my RP3. I’ve confirmed that DuckDNS is seeing the correct IP address that my ISP has provided me and when I try using my cell phone, with Wi-Fi disabled, to hit my public IP address, the only way I can successfully connect to HA is by using http://my_public_IP:443. If my public IP were 123.45.67.89 then here are the results of various tests:

https://123.45.67.89:8123 - ERR_CONNECTION_TIMED_OUT
http://123.45.67.89:8123 - ERR_CONNECTION_TIMED_OUT
https://123.45.67.89:443 - ERR_SSL_PROTOCOL_ERROR
http://123.45.67.89:443 - connects unsecurely!
https://123.45.67.89:80 - ERR_CONNECTION_REFUSED
http://123.45.67.89:80 - ERR_CONNECTION_REFUSED

My Configuration.yaml files looks pretty simple at the moment as my system recently crashed and I started all over again. It looks like this:

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
 http:
   base_url: my_subdomain.duckdns.org:8123
   ssl_certificate: /ssl/fullchain.pem
   ssl_key: /ssl/privkey.pem

# Sensors
sensor:
  # Weather prediction
  - platform: yr

# Text to speech
tts:
  - platform: google_translate

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml

My DuckDNS config looks like this:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "my_personal_token_from_DuckDNS",
  "domains": [
    "my_subdomain.duckdns.org"
  ],
  "seconds": 300
}

I have a double router configuration with R1 at premises and R2 wired to LAN of R1. On R1, I currently have the following port forwarding rules: 8123->8123, 443->443.
On R2, I currently have the following port forwarding rules: 443->8123, 80->80.

I’ve tried moving my RP3 to LAN of R1 to eliminate potential issues with a double router config and added the port 80->80 and 443->8123 rules to R1 but with similar results as shown above when trying various combinations of http/https with my local IP address and various ports. Don’t know what else to try… A little help please!

tom_l · July 2, 2019, 2:48am

The ssl certificate is for the duckdns domain name not the ip address. Also if the WAN to LAN router is forwarding port 443 you don’t need to include the port, it is implied by https (though it does not cause an issue).

So on your mobile connected to the cellular network try:

https://my_subdomain.duckdns.org

https://123.45.67.89:8123 - ERR_CONNECTION_TIMED_OUT - ### wrong port
http://123.45.67.89:8123 - ERR_CONNECTION_TIMED_OUT - ### wrong port, wrong protocol
https://123.45.67.89:443 - ERR_SSL_PROTOCOL_ERROR - ### using IP rather than my_subdomain
http://123.45.67.89:443 - connects unsecurely! - ### using IP rather than my_subdomain, wrong protocol
https://123.45.67.89:80 - ERR_CONNECTION_REFUSED - ### wrong port
http://123.45.67.89:80 - ERR_CONNECTION_REFUSED - ### wrong port, wrong protocol

chad01 · July 2, 2019, 1:19pm

Thanks for your help @tom_l. Hitting https:/my_subdomain.duckdns.org from a mobile gives ERR_SSL_PROTOCOL_ERROR.

tom_l · July 2, 2019, 1:22pm

Is that with HA on the R1 LAN?

Did you change your base URL?

You have port 8123 specified but it should be 443 or nothing if R1 is forwarding 443->8123.

chad01 · July 2, 2019, 3:01pm

This is with HA on R2, with no changes to base URL in any of my configurations. I typed in “https://my_subdomain.duckdns.org”, using my actual subdomain name of course. R1 is not currently forwarding 443->8123. I have 443->443 and 8123->8123 on R1. If I remove all rules on R1 and add 443->8123 then I get ERR_CONNECTION_TIMED_OUT.

chad01 · July 2, 2019, 6:24pm

@tom_l,

When you ask if I changed my base URL, do you mean at any time after installing DuckDNS, or since you and I began communicating? If the latter, then my answer stays a “yes”, if the former, then I think I may have changed it from having https://my_domain.duckdns.org:8123 to my_domain.duckdns.org:8123 after seeing other posts. But quite honestly, I’ve tried so many things that I’m not 100% sure any more…

chad01 · July 3, 2019, 9:59pm

Any other ideas @tom_l or do I need to move this question over to Discord Chat?

chad01 · July 5, 2019, 9:36pm

Update:

In order to simply my installation and rule out double router config issues I’ve moved my RP3 install with Hassio to R1 and deleted my SSL keys. I added port forwarding rules on R1 for 443->8123 and 8123 -> 8123 as well as 80->80 with all rules pointing to my RP3’s IP. Next I uninstalled DuckDNS and reinstalled it. Again the DuckDNS logs show a successful install and my new keys are sitting in my /ssl directory. My DuckDNS configuration is the same as listed above. I’ve restarted HA and used my mobile with WiFi disabled. As per @tom_l’s instructions I’m now trying to hit https://my_subdomain.duckdns.org and still am getting the ERR_SSL_PROTOCOL_ERROR. My home-assistant.log shows the following:

2019-07-05 16:57:24 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 275, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp\_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method
2019-07-05 16:57:24 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 275, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp\_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method
2019-07-05 16:57:25 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 275, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp\_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method

I’ve lost about 4-weeks of evenings trying to get what should be a simple install of DuckDNS working and am at a point of desperation… Anyone able to render some assistance, please? Anyone?..

tom_l · July 6, 2019, 12:20am

Everything you have done is correct. Check if your ISP blocks any incoming ports. Particularly 443.

chad01 · July 6, 2019, 12:38am

Just checked and my ISP does not block port 443, 8123 or 80

tom_l · July 6, 2019, 12:39am

Over to discord then. I’ve got nothing else to offer sorry.

chad01 · July 6, 2019, 12:40am

Thanks for trying @tom_l

chad01 · July 6, 2019, 4:40pm

For all the rest of the folks out there having similar issues, I wanted to share the solution to the problem above. @cogneato over on the Discord Chat server was able to spot that I had a single space before my http: opening block in my configuration.yaml file. Watch your formatting carefully because it can cost you a lot of heartache and wasted time!