Effortless encryption with Let's Encrypt and DuckDNS

You’ll need to set the AAAA record with your IPv6 address and yes… your router needs to support IPv6 (might need firmware upgrade) but having one that it should just work. I do use Caddy Reverse Proxy which means I only need open one port 443 and 80 for LE certificates.

1 Like

Check out this thread as well Free SSL Certificates through Cloudflare (15y Expiry)

Doesn’t work. I’ve tried every permutation I’ve found. I get no errors when getting the certs at all, I can see them and they are valid. I added the ssl lines and base_url lines with https://|breaking url|stuff.duckdns.org:8123. Port forwarded 443 to 8123

I do not have ssl locally or externally. I keep getting err_ssl_protocol_err


I’m using HASS.IO with official DuckDNS Add-On and i have successfully running a Let’s Encrypt-SSL Certificate without SSL Errors on port 8123. The Add-On added base_url: https://xxx.duckdns.org:8123 and my iOS-Apps use this URL. I set my router to forward external port 8123 in internal HASS.IO port 8123. Everything runs fine!

However, to receive webhooks i need to switch to port 443. I wonder what is the best way, only changing port forwarding in my router from ext8123->int8123 to ext443->int8123? Or is it better to change the port of HASS.IO form 8123 to 443. Then i think i have to change the configuration.yaml to:

  server_port: 443
  base_url: https://xxx.duckdns.org:443

Can someone tell me that is the prefered way?

Hello! This is just an FYI to save time from those newbies that follow the DuckDNS configuration from here.

Thanks to @Tinkerer, who helped me in Discord.

  1. After configuring the http: session, nothing else seems to work and the reason is obvious, even though I didn’t understand before being told: when you configure SSL, http:// doesn’t work anymore. So just go ahead and start using https:.
  2. For some reason, in my router I had to forward 443 to 8123 as well as 8123 to 8123.

After doing that, I did manage to make it work from outside my network via https. Even from the iOS app.

You no longer need the http: section in configuration.yaml
In fact if you do it prevents you from accessing your HA instance locally.
Full instructions here : -

Read post 25 too.
I ONLY have port 443 open and it forwards to port 443
I get my certificates updated without any intervention

I do and have local access but I do use a reverse proxy (Caddy)
Also note that if you don’t have the base_url set then the cast feature will not work.

Good information to have
When (and if) I come to want casting then I will know it’s possible.
But you run HA on a NUC with bespoke installation don’t you
Is that (caddy) available for the average newbie on a raspberry pi ?

Caddy is available on a RPi.
Yes my Nuc runs debian and hass.io (generic linux install)
Caddy is a hass.io addon. Unlike nginx etc, caddy is very easy to setup and use and unlike others I understand it.

Sorry David, I can’t find it.
I went through official add-ons, comunity add-ons, then I followed your link and the two sub-links from that.
If it’s there, I’m not sure how a newbie would be expected to find it.
I did a search based on your suggestion a few posts up; and came accross : -


But as I say, how would a newbie even be expected to look ?
You know a hell of a lot more about networks than most here, can something be done to promote this (or nginx - which is quite easy to find) as a first course external access component ?
I haven’t had chance to read either yet (I will) but JuanTech’s video seems to be the default and we keep having to deal with people who have issues because of it. :man_shrugging:

The first one Korylprince is the one I use. I didn’t have any expectations regarding newbies - I was answering your question.

David, I much appreciate your answer, but I’m considering the greater good.

  1. What will help newbies get a working external access ?
  2. What will (in the same blow) deliver them a robust access environment that allows local access on local:8123 and remote access on https://myfortressofsolitude.duckdns.org ?
  3. Have this solution live harmoniously with other HA features, such as cast
  4. Will leverage your knowledge of networking to make it accessible to John Q Public (and explanation of each step, setting and why)
  5. Will allow a simple redirection to said post for all newbies (and dumb schmucks like me, who never heard of caddy) So that we all (on the forum) spend less time answering the same question again and again.

I think you could do this and though it may take a while to collate, cover all the angles and answer most peoples questions. I do think it would be worthwhile - A bit like finity’s EPIC time manipulation thread.
Thanks for your time to date.

Edit: or just post it in this thread :man_shrugging:

I actually was in the middle of writing a guide for Caddy on my blog. You can see that here.

Nabucasa :slight_smile:





This is a long thread and I spent a couple hours following it and trying various suggestions, but I’m stuck. Can anyone provide a few more troubleshooting tips (sorry if I may have missed the key post above - I’m not very adept at networking).

Here’s what I’ve tried:

  • followed all instructions for setting up duckdns
  • I set up port forwarding from 8123 to 8123 on my home router
  • I can access through my internal network as long as precede the network name by ‘https://’
  • I can successfully ping mydomain.duckdns.org from my command line
  • I can successfully ping my external ip from my command line (ping xx.xx.xx.xxx)
  • I cannot get the a webpage to load at the expected duckdns address (with or without the trailing :8123)

[post 1 of 2]

[post 2 of 2 - sorry! as a new user I couldn’t post it all together]

I stumbled across this blog post which suggested using nginx to avoid the need for https on the internal network.

Here’s what I did:
  • I removed the lines in my configuration.yml file specifying the base_url
  • I added the nginx plugin
  • I can access HA through my internal network without https
  • I cannot get the a webpage to load at the expected duckdns address (with or without the trailing :8123)

Additional info:

  • I don’t see any errors in the HA system log
  • pinging my local IP works (ping 192.168.0.xxx)

Are there any other intermediate steps I can try to troubleshoot to figure out where the problem is? Is it possible that my router is blocking incoming traffic (I’m on comcast/xfinity). How would I know if this were the case?

I also tried typing my public IP in a browser https followed by 98.247.xx.xxx:8123 under the assumption that that should bypass the need for duckdns (at least temporarily, until my IP changed). But that doesn’t work either (browser returns " This site can’t be reached"). Is that another clue that the problem might lie with my router?


My best suggestion is outlined in : -

It works! The issue seems to have been that I cannot access the external address through my internal network.

When I turn off wifi on my cellphone, I can access HA through either http://mydomain.duckdns.org:8123 OR http://<my_public_ip>:8123. (though https doesn’t work).

It’s probably been working all along. I just didn’t think to try accessing it from an external network. Is it expected behavior that my internal network would be blocking requests in this way? Maybe I missed (or just didn’t understand) that somewhere in the documentation. Or is this some peculiarity of my network settings?

In any case, hopefully this can be useful to others. Thanks for the help!

It may well be that your modem does not support hairpin nat
ie it asks duckdns for the address which is revealed as itself but it won’t talk to itself.
If you employ the full instructions you can do local and full external