DuckDNS URL fails on local network

I have successfully used DuckDNS for a few months. Recently I couldn’t get to the UI at https://xxxx.duckdns.org:8123. I tried the IP address and it worked (although the browser complained).

The log file stated there was an issue on base_url

2021-04-13 08:53:28 WARNING (MainThread) [homeassistant.components.http] The 'base_url' option near /config/configuration.yaml:85 is deprecated, please remove it from your configuration

so I disabled that. However I still can’t logon via the domain; gives me the message Unable to connect to Home Assistant followed by Retry gives the error 403: Forbidden. It works via the IP Address. The log file looks like this. The message on certificate renewal seems confusing given it’s valid until 6 Jun. Also I understand that certificate renewal happens automatically, right:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[08:41:17] INFO: OK
xx.xx.xx.xx
NOCHANGE
[08:41:18] INFO: Renew certificate for domains: xxxxx.duckdns.org and aliases: 
# INFO: Using main config file /data/workdir/config
Processing xxxxx.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun  6 14:22:30 2021 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!
[08:46:17] INFO: OK
xx.xx.xx.xx
NOCHANGE

Looked at the config and the token matches the one on duckdns.org. Any ideas?

Are there any more steps I can take to troubleshoot this?

I have switched the logger to info and don’t see anything in home-assistant.log when trying to access the URL

Another piece of info that may help.

I just realised that I can’t connect to https://xxxx.duckdns.org:8123 when I’m on the local LAN but it’s ok when connecting from outside the LAN, say from a mobile. Again nothing has changed on my router config other than having upgraded HA as new releases are available.

Came back to this as I’m puzzled as to why this stopped working. In summary:
https://xxxx.duckdns.org:8123 work from outside the LAN but not on the LAN
http://192.168.2.xx:8123 works on the LAN but the browser complains that it’s not a secure connection

configuration.yaml

homeassistant:
 external_url: https://tmrha.duckdns.org
 internal_url: http://192.168.2.xxx:8123
 auth_mfa_modules:
   - type: totp
http:
 ssl_certificate: /ssl/fullchain.pem
 ssl_key: /ssl/privkey.pem
 ip_ban_enabled: true
 login_attempts_threshold: 5

DuckDNS config is ok and there are no issues in the log file

Port forwarding setup and not changed since the first [successful] setup.

When accessing the DuckDNS URL I get the error above and when clicking ‘Retry’ the URL https://xxxxxxx.duckdns.org:8123/lovelace comes up with a Error ‘403: Forbidden’

Use https://192.168.2.xx:8123/

The fact tmrha.duckdns.org isn’t resolved is because you router doesn’t support it.
if you try to ping tmrha.duckdns.org from local network you will notice it will use your external IP.
What you need is a hairpin DNS…f.e. NGIX, that would solve it :wink:

You’re right pinging the DuckDNS URL points to the external IP address.

So are you saying this was never working or this stopped working as a result of recent updates and the answer is to use a hairpin DNS?

Not many routers support hairpin dns. Also it needs to be specifically configured for your needs, so if you haven’t made any changes in your router recently, I don’t think this has ever been working.

I myself don’t use DuckDNS, but I manage both my global DNS server, as well as my local DNS server.

If you just want to access xxxx.duckdns.org:8123 from one or more Windows computers, you can modify the Windows host file to point xxxx.duckdns.org to your internal ip-address.

If you want phones to access xxxx.duckdns.org too, you could install something like pihole to redirect it to your internal ip-address, as it it impossible to access/modify the android or ios host file.

1 Like

many ways lead to Rome…

You can add the domain suffix duckdns.org to your router, and make a reservation for tmrha using your internal IP :wink:

Ok, so I spent some time with the support folks at Ubiquiti (I have a Dream Machine). In their words hairpin DNS is not supported on the UDM so I’m stuck.

The idea of updating hosts files etc. doesn’t work for me as we have Android and iOS devices on the network as well as Windows machines.

Are you saying I could use NGINX? There’s an add-on on Home Assistant but all the notes/instructions seem to point to using this add-on to gain access to Home Assistant from outside the network which is something I can do already.

Could I use NGINX to resolve https://tmrha.duckdns.org on the local network to the IP address it runs on? How would I configure this? Is this a proxy host or a redirection host?

It would also be possible to use dns…

Ok great.

  • Installed the official DNSmasq add-on; config as follows:
defaults:
  - 8.8.8.4
  - 192.168.2.99
forwards: []
hosts:
  - host: xxxxx.duckdns.org
    ip: 192.168.2.99
services: []
  • The DNSmasq log file shows this
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] config.sh: executing... 
[00:03:25] INFO: Configuring dnsmasq...
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[00:03:26] INFO: Starting dnsmasq...
dnsmasq[209]: started, version 2.84rc2 cachesize 150
dnsmasq[209]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-cryptohash no-DNSSEC loop-detect inotify dumpfile
dnsmasq[209]: using nameserver 192.168.2.99#53
dnsmasq[209]: using nameserver 8.8.8.4#53
dnsmasq[209]: cleared cache
  • When connecting to https://xxxxx.duckdns.org:8123 I still get a 403: Forbidden error

  • When I ping xxxxx.duckdns.org from a command line of a PC on the LAN I still get the WAN address of xxxxx.duckdns.org. I would expect this to point to the local IP 192.168.2.99

  • I read in another post that I have to make the home assistant (i.e. 192.168.2.99) one of the DNS servers which I have done

Any idea where I go wrong?

Did you or change the dns-server address on the machine?
You can do this in network settings:

(use the ip of ha here…not 8.8.8.8)
but it’s easer to set this on your routers dhcp server (so it will be set on all dhcp clients automatical😉)

It’s finally working. Txs very much for your support :pray: