Effortless encryption with Let's Encrypt and DuckDNS

I believe I have followed it right, but I cant’ get https to work, http works fine.

This is the only error I can see…

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/aiohttp/web_protocol.py", line 242, in data_received
messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp\_http_parser.pyx", line 519, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method

any ideas? Thanks!

Im having the exact same issue

Hi all,
I am new with Home Assistant and stil learning from the available documentation.
Trying to access hass.io from the internet I have followed the same steps as described in @Bobby_​​Nobble post from 15th April. The result is that now I can’t access UI neither from my home network neither from external.
Connection via ssh shows that HA is running. Also files fullchain.pem and privkey.pem are in /ssl folder.
Any hint or idea ? Thanks.

Yep, I’ve been spinning my wheels over the apparent same issue as Chewee. Now it’s a month and a half later than Chewie having the problem,so…
Hey, Chewie, did you get that solved?

Thanks to a blog post by Andreas Gohr I realized that DuckDNS supports setting TXT records, making it compatible with the DNS-01 challenge of Let’s Encrypt. The DNS-01 challenge is using the DNS record of the domain instead of interacting with the server. This means that it’s not needed for the user to open any ports!

But I DO have to forward a port on my router. What is meant by this passage?

One documentation I read guided you to first set up a test portforward (8123 → 8123) and later on advices you to delete that portforwarding and replace it with (443 → 8123).
Currently I can’t find that doc.

Whats the reason for this?

Is it more unsecure to open the port 8123 to the public than opening 443?

The advantage about the forwarding 8123 to 8123 is that it will be the same URL either in the local or in the public network.

When I change it to 443 → 8123 than I have to open XXX.duckdns.org in a public network and XXX.duckdns.org:8123 in my local network. Or is there a workarround for that?

So it makes no difference (thats my main question) if you chose 443 or 8123 than why use different ports?

EDIT:
This is the doc I was talking about.

headlines 5 - CHECK THE INCOMING CONNECTION and 6 - CLEAN UP PORT FORWARDS

In step 2 we created a port forwarding rule called ha_test . This opens port 8123 to the world, and is no longer necessary.

Last passage before section 1 mentions why.
It’s because he aims to get the default behavior of writing https which runs on port 443 instead of having to specify port each and every time.

Personally I have also seen that if you want to run home Assistant as progressive web app (I.e. it shows up as a app on your drawer) on Android. You need to run it on port 443 alt port forward 443 to HA port of choice.

From a local network standpoint you can still run the same https://xxx.duckdns.org address as externally.
This is because the router knows that the endpoint of that address is internal so it will just turn the traffic back around.

But from a security point of view it’s the same, if you open 443 or some other port?
Or is it even more scure have an other port than 443 because it isn’t that obvious for a potential attack from a hacker?

I don’t care if I have to specify the port every time, because I save the url as bookmark, so I don’t have to care about that.
I just want to know if I’m doing it right. So are both ways ok or is one better than the other?

Are you sure about that, I tried it with port 443 but I wasn’t able to open it without the internal port at the end (local).
My router doesn’t support natloop-back maybe thats the issue?

Changing port would be classified as security by obscurity. I.e. Security wise it makes no difference. A bot will port scan you anyway.

What setting you need to do on your router. Unsure. Never had to tweak this on any of mine.
I would say that the router should be able to find the lookup address in its own dns table.

I.e. It knows resolves the duckdns address to its own external address. And hence loops it back internally.

So should not be any nat-loopback involved.

my duck dns works outside my local network - https://XXXXXX.duckdns.org/....but When I use the same address at home on the local network it brings up the login page for my router not home assistant. What I’m I missing? Any help would be greatly appreciated? Thanks!

You haven’t forwarded 443 to 8123

I do have 443 to 8123 setup. I have a Ubuquiti edgerouter…i think this may be the issue.

I thought this might help but it didn’t…https://loganmarchione.com/2017/04/duckdns-on-edgerouter/

figured it out…I removed the lan interfaces from the port forwarding and put switch0

Hi All
Can you help please Installed Hass.io couple of days ago, now setting up DuckDNS as distributed.
The Hass does start up anymore this is my error message in the log file:

2019-02-26 11:11:09 ERROR (MainThread) [homeassistant.core] Error doing job: SSL error errno:1 reason: HTTP_REQUEST
Traceback (most recent call last):
File “uvloop/sslproto.pyx”, line 504, in uvloop.loop.SSLProtocol.data_received
File “uvloop/sslproto.pyx”, line 204, in uvloop.loop._SSLPipe.feed_ssldata
File “uvloop/sslproto.pyx”, line 171, in uvloop.loop._SSLPipe.feed_ssldata
File “/usr/local/lib/python3.7/ssl.py”, line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1056)

this is in my configurations file:
http:
# base_url: https://secret.duckdns.org:8123
# ssl_certificate: /ssl/fullchain.pem
# ssl_key: /ssl/privkey.pem

and this is the setup in the DuckDNS setup:
{
“lets_encrypt”: {
“accept_terms”: true,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
},
“token”: “token from Duck DNS page”,
“domains”: [
“secret”
],
“seconds”: 300
}

I did not install the add-on Letsencrypt separately, as it was not in the instruction.

Anybody any idea to help the newbe with HASS

Greetings
Valentijn

I could startup Hass with the following in my config file.

# duckdns  
http:
#  base_url: https://secret.duckdns.org:8123
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem

but no ssl…

Remove https:// and remove port
Remove /ssl/

@Vennerberg thanks for the remark. tried that but without succes.

Config file error:
Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got 'fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got 'privkey.pem'. (See /config/configuration.yaml, line 44). Please check the docs at https://home-assistant.io/components/http/ 

any other ideas?

Wait hold on… in configuration.yaml it’s supposed to be as you stated. With https:// and /ssl/ In the hassio config for duckdns it’s supposed to be as I said. No https, no ports and no /ssl/

And remove #

@vvanderhammen
Did it work?

Nope sorry, this is what I have tested:

config Duckdns:
{
“lets_encrypt”: {
“accept_terms”: true,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
},
“token”: “token from Duck DNS page”,
“domains”: [
secret.duckdns.org
],
“seconds”: 300
}

So without the /ssl/ ports and https

And my config file is
this is in my configurations file:
http:
base_url: https://secret.duckdns.org:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

same error log I’m afraid… :frowning: