Take a look at this article:
It does not totally apply to hass.io but it shows some debug steps.
I suggest to comment out the ssl* lines in configuration.yaml, port forward 8123 to 8123
and try external access without SSL ie use http.
This is step 2 in the reference.
If this does not work get someone else’s help for your router, firewall or security software.
Edit:
I did discover that if you put
base_url: xxxx.duckdns.org:8123
in configuration.yaml
You must forward 8123 to 8123 on your router (NOT 443) and
use
https://xxxx.duckdns.org:8123
to access externally.