Effortless encryption with Let's Encrypt and DuckDNS

so I was using duckdns with letsencrypt after several attempts using this

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "my generated token",
  "domains": [
    "xxxxxxxx.duckdns.org "
  ],
  "seconds": 300
}

I kept getting this error

ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)

and at the bottom of the error

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Malformed account ID in KeyID header URL: \"https://acme-v02.api.letsencrypt.org/acme/acct/\"",
  "status": 400
}

I eventually just installed letsencrypt manually and it worked fine. I don’t know what the issue is, this is a brand new install, so no chance of me really messing something up

Hi all - can anyone add some clarity around adding additional domains to a working Let’s Encrypt SSL certificate?

I have the DuckDNS/Let’s Encyrpt setup working fine (through hass.io plugin), and I have my personal domain name (though VentraIP) pointing to the xxxxx.duckdns.org domain using the DNS CNAME settings.

I can access HA at xxxx.duckdns.org (and SSL works fine). I can also access HA at my person domain, but I get the “Your connection is not secure” message (i.e. SSL not working).

I presume this is because the certificate is only for the xxxx.duckdns.org address—so can I add my personal domain as well?

Thanks!

Why don’t you point the ventraip domain to your HA instance? Makes no sense going through duckdns. You get free SSL with ventra ip anyway. I don’t understand why you are doing this.

I initially set it up before I had a domain, but figured it’d be best to keep using it for the dynamic DNS (I don’t have a fixed IP address).

As for SSL though VentraIP, all I can see are paid COMODO options. I saw a bunch of articles about VentraIP support for Let’s Encrypt, but that only seems to be through cpanel and/or if you where hosting through VentraIP as well—happy to be corrected though!

Oh yeah you’re right… through cpanel. So you should be able to get a LetsEncrypt hosting your domain on your own server (same as you do now for duckdns) You need the cname to point to HA not duckdns and use the letsencrypt addon.

My HA is running on docker on an OpenMediaVault server (debian based), so I should be fine to set up Let’s Encrypt on there (I saw a few guides around for that).

However, I believe I’d still have dynamic IP issues (I’m not on a fixed IP - just a standard Telstra HFC-based residential plan - not NBN yet (and it’ll be HFC anyway :frowning:). This was one of the main reasons for just having CNAME point to the DuckDNS instance.

One of the earlier posters seemed to be able to do what I was asking about when hosting through Google Domains—so I was hoping I could manage something similar.

Yeah you will. That’s bloody annoying lol. I’m on ABB and have a sticky IPv4 address but I block IPv4 on my HA anyway and I only update the IPv6 address at duckdns (but it’s static) Even with T$ I believe you will have a fixed IPv6 address so perhaps you could be using that. It does not look like you are gaining anything by using your own domain anyway.

I actually have a few domains and was thinking about using one for this with cloudflare but I haven’t looked into that in detail yet and meh… don’t really see the point TBH.

Part of the reason for using my own domain is that my work (QLD public service) seems to block domains that are specially DDNS sites (like DuckDNS). Hence trying to see if I could (a) get it working properly on my own domain and (b) check if work still blocked. Haven’t had a chance to test at work with SSL not working as I only just got the domain set up.

I haven’t really played with IPv6 yet—my ISP before moving back to Brisbane didn’t support it. Might have to look into that.

If you’re with Telstra you def have a static /56 prefix and HA works great with IPv6. So you could use that+LetsEncrypt+Your own domain with cname pointing to HA.

1 Like

Thanks! Any pointers to guides around using IPv6 (especially with Telstra equipment—though I’m only using the Telstra rounter for 4G failover on my Asus-Merlin router)?

I am using some older Dell and Cisco managed switches though - so that may be an issues.

Much appreciated!

You’ll need to set the AAAA record with your IPv6 address and yes… your router needs to support IPv6 (might need firmware upgrade) but having one that it should just work. I do use Caddy Reverse Proxy which means I only need open one port 443 and 80 for LE certificates.

1 Like

Check out this thread as well Free SSL Certificates through Cloudflare (15y Expiry)

Doesn’t work. I’ve tried every permutation I’ve found. I get no errors when getting the certs at all, I can see them and they are valid. I added the ssl lines and base_url lines with https://|breaking url|stuff.duckdns.org:8123. Port forwarded 443 to 8123

I do not have ssl locally or externally. I keep getting err_ssl_protocol_err

Hello!

I’m using HASS.IO with official DuckDNS Add-On and i have successfully running a Let’s Encrypt-SSL Certificate without SSL Errors on port 8123. The Add-On added base_url: https://xxx.duckdns.org:8123 and my iOS-Apps use this URL. I set my router to forward external port 8123 in internal HASS.IO port 8123. Everything runs fine!

However, to receive webhooks i need to switch to port 443. I wonder what is the best way, only changing port forwarding in my router from ext8123->int8123 to ext443->int8123? Or is it better to change the port of HASS.IO form 8123 to 443. Then i think i have to change the configuration.yaml to:

http:
   ...
  server_port: 443
  base_url: https://xxx.duckdns.org:443

Can someone tell me that is the prefered way?

Hello! This is just an FYI to save time from those newbies that follow the DuckDNS configuration from here.

Thanks to @Tinkerer, who helped me in Discord.

  1. After configuring the http: session, nothing else seems to work and the reason is obvious, even though I didn’t understand before being told: when you configure SSL, http:// doesn’t work anymore. So just go ahead and start using https:.
  2. For some reason, in my router I had to forward 443 to 8123 as well as 8123 to 8123.

After doing that, I did manage to make it work from outside my network via https. Even from the iOS app.

You no longer need the http: section in configuration.yaml
In fact if you do it prevents you from accessing your HA instance locally.
Full instructions here : -

Read post 25 too.
I ONLY have port 443 open and it forwards to port 443
I get my certificates updated without any intervention

I do and have local access but I do use a reverse proxy (Caddy)
Also note that if you don’t have the base_url set then the cast feature will not work.

Good information to have
When (and if) I come to want casting then I will know it’s possible.
But you run HA on a NUC with bespoke installation don’t you
Is that (caddy) available for the average newbie on a raspberry pi ?

Caddy is available on a RPi.
Yes my Nuc runs debian and hass.io (generic linux install)
Caddy is a hass.io addon. Unlike nginx etc, caddy is very easy to setup and use and unlike others I understand it.

Sorry David, I can’t find it.
I went through official add-ons, comunity add-ons, then I followed your link and the two sub-links from that.
If it’s there, I’m not sure how a newbie would be expected to find it.
I did a search based on your suggestion a few posts up; and came accross : -

and

But as I say, how would a newbie even be expected to look ?
You know a hell of a lot more about networks than most here, can something be done to promote this (or nginx - which is quite easy to find) as a first course external access component ?
I haven’t had chance to read either yet (I will) but JuanTech’s video seems to be the default and we keep having to deal with people who have issues because of it. :man_shrugging:
Cheers