Hass.io with DuckDNS add-on: Keep getting errors when trying to connect https

Third party integrations
1

Help please, I’m at the end of my rope.
I’ve installed the Duck DNS add-on to Hass.io. on a Raspberry Pi 3 using the 64-bit install. It is running over WiFi.
The DNS works just fine if I use http://my-domain.duckdns.org:8123
I cannot connect via ssl (https). I get one of two errors.
If I try https://my-domain.duckdns.org, I get "This site can’t be reached, my-domain.duckdns.org refused to connect. ERR_CONNECTION_REFUSED.
If instead, I try https://my-domain.duckdns.org:8123, I get "This site can’t provide a secure connection, my-domain.duckdns.org sent an invalid response. ERR_SSL_PROTOCOL_ERROR.
I’m using Chrome as my browser, but I’ve tried Safari and the Chrome browser on an Android phone not connected to WiFi.
I’ve tried uninstalling/reinstalling several times.

relevant section of configuration.yaml (with my-domain substituted for the domain).
http:
#api_password: !secret http_password
base_url: https://my-domain.duckdns.org:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

Duck DNS Add-on Log file (with my-domain substituted for the domain): `# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Done!
Fri Feb  8 20:43:09 CST 2019: OK
47.185.23.235
NOCHANGE
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing my-domain.duckdns.org
 + Creating new directory /data/letsencrypt/my-domain.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for my-domain.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for my-domain.duckdns.org authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!`

In addition, I forwarded ports 443 and 8123 on my router. Port 80 is blocked by the ISP, but I don’t think that matters anymore.

Can someone help?

2

First, let me apologize for not using the markup in the log file. I thought I hit it. I know I used it below.

Second, when I look in /config/home-assistant.log, I see repeated instances of the same error message:
2019-02-08 21:24:09 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
File “/usr/local/lib/python3.6/site-packages/aiohttp/web_protocol.py”, line 275, in data_received
messages, upgraded, tail = self._request_parser.feed_data(data)
File “aiohttp_http_parser.pyx”, line 523, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method

3

My ISP blocks 80 also. did you ever get it working?

4

Yes, I had to use NGINX SSL proxy.

1 Like
5

Could you elaborate on your configuration please.

6

Nevermind after clicking some buttons and saying false and true and what nots and this and that I got it working. just by pure luck sort of I got to read some more But thank you for mentioning NGINX SSL proxy.

7

I’m facing the exact same issues. Was NGINX SSL proxy the only solution?

8

To the best of my knowledge and/or belief.
That is to say, I really don’t understand WHY it worked, but when I installed the SSL proxy, I was able to connect over my https://.duckdns.org connection. The only thing I can think of is that somehow NGINX is either coding the traffic properly, or doing something to allow the traffic to pass through my internet gateway that I couldn’t do with “normal” settings.

I will add – last week, I wasn’t able to connect to my homepage. I could connect over the Nabu Casa cloud (so I could ask Alexa to turn on the lights). I found that NGINX wasn’t on. Turning it on cleared up that problem as well.

Bottom line: it worked for me, try it and see if it works. Good luck

9

Thanks for replying, @cohenje. I installed NGINX and it seems to be running correctly, as per the log. However, I keep getting ERR_SSL_PROTOCOL_ERROR (Chrome) and “This might be because the site uses outdated or unsafe TLS security settings” (Edge) when I try accessing Hassio with the https url.

Works:
http://DOMAIN.duckdns.org

Does not work:
https://DOMAIN.duckdns.org

From your experience, do you know what I’m missing?

{
“domain”: “domain.duckdns.org”,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”,
“hsts”: “max-age=31536000; includeSubDomains”,
“cloudflare”: false,
“customize”: {
“active”: false,
“default”: “nginx_proxy_default*.conf”,
“servers”: “nginx_proxy/*.conf”
}
}

Network

Container Host Description
80/tcp 80
443/tcp 443

Log

[11:27:11] INFO: Running nginx…

/config/configuration.yaml

default_config:
http:
base_url: https://domain.duckdns.org
api_password: PASSWORD
ip_ban_enabled: true
login_attempts_threshold: 3

10

I am in the same boat, just installed NGINX my config looks the same as yours, any luck yet?

11

I’m not sure how I did this (will look), but I have 80/tcp as disabled.
I think that is it because you want to come in on port 443 so you are using https.

Check your Duck DNS info. Make sure your token is correct (I inadvertently dropped one character the first time I copied/pasted it).

There was a time that you had to uncomment something in your configurations.yaml file to run SSL/TLS, however with one of the updates, that became unnecessary (someone call me out if this isn’t so). I don’t have it uncommented.

Another thing I’d try is to open it in FireFox. The security and add-ons for Chrome have been killing me for a while. Note that I’m using Chrome right now without problems

12

Posting in case anyone else stumbles here trying to figure it out. My issue was port forwarding. When you set up DuckDNS, you forward 8123 to 8123. When you then go on to install NGINX, you forward 443 to 8123 (you can get rid of 8123->8123).

2 Likes