Hass.io with DuckDNS and NGINX: HTTP works but HTTPS doesn't work (ERR_SSL_PROTOCOL_ERROR)

HalaAutomateths · December 22, 2019, 6:41pm

Hi everyone,

I’m at my wits end trying to get HTTPS working for the past few days. I feel like I’m almost there but can’t find the last piece of the puzzle.

My setup:

Pi4 4GB
Hass.io ( Home Assistant 0.103.3)
DuckDNS
NGINX
Router Port forwarding for 80, 443, and 8123 to 8123
Logs indicate everything is running correctly

From an external device, I am able to access http://domain.duckdns.org but not https://domain.duckdns.org. I keep getting ERR_SSL_PROTOCOL_ERROR (Chrome) and “This might be because the site uses outdated or unsafe TLS security settings” (Edge) when I try accessing Hassio with the https url.

What am I missing? Do I need to set up /etc/nginx/sites-enabled/homeassistant as outlined here: Reverse proxy with NGINX using a subdomain - Community Guides - Home Assistant Community ?

configuration.yaml (I’ve tried different variations of base_url - http, https, with and without port number - no luck)

default_config:
 http:
   base_url: domain.duckdns.org

NGINX

{
  "domain": "domain.duckdns.org",
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "hsts": "max-age=31536000; includeSubDomains",
  "cloudflare": false,
  "customize": {
    "active": false,
    "default": "nginx_proxy_default*.conf",
    "servers": "nginx_proxy/*.conf"
  }
}

NGINX Network

Container Host Description

80/tcp 80

443/tcp 443

becauseinterwebs · December 22, 2019, 7:00pm

Lol I was in the process of typing this exact same post when I decided to do ONE more search for an answer.

The only diff in my config is that under http I have the base_url as

https://xxxx.duckdns.org:8123

I get the login page when I go to https://xxxx.duckdns.org, but after that while on the “Loading data” screen I get a message after about a minute saying it couldn’t connect.

The only error I’m seeing in the home-assistant.log is:

2019-12-22 12:57:17 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 275, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp\_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method

Tediore · December 22, 2019, 7:09pm

You don’t need the base_url in your config if you’re using NGINX for remote access. Try removing that.

You also don’t need to forward 8123 to 8123. You can just forward whatever external port you want to 443.

HalaAutomateths · December 22, 2019, 7:09pm

I’ve tried the base_url with all variations of http, https and the port number, but cannot get past the ssl protocol error to see the login page. Did you do anything differently than the steps provided on the duckdns and nginx Addon pages?

HalaAutomateths · December 22, 2019, 7:12pm

I’ll try that now and fingers crossed, hope it works.

Tediore · December 22, 2019, 7:12pm

Don’t forget to restart home assistant after making that change.

becauseinterwebs · December 22, 2019, 7:42pm

I set it up according to the DuckDNS instructions. I removed the cert file entries in accordance with the NGINX proxy directions. Trying the removal of the base_url now.

becauseinterwebs · December 22, 2019, 8:07pm

Still no joy. I removed base_url from the config yaml.

I also uninstalled DuckDNS and NGINX proxy, deleted the certs and started over. Still the same.

I connected via ssh to a server outside my network and can telnet to port 443 using xxxx.duckdns.org just fine.

However, when I try to access https://xxxx.duckdns.org now I get " the site can’t provide a secure connection."

When I run curl from the remote server:

curl -v https://xxxx.duckdns.org
* Rebuilt URL to: https://xxxx.duckdns.org/
*   Trying 162.x.x.x...
* Connected to xxxx.duckdns.org (162.x.x.x) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: An unexpected TLS packet was received.
* Closing connection 0
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

I’m wondering if it’s an issue with the Let’s Encrypt certs?

Kinda starting to think I just dump DuckDNS and use one of my external servers to proxy to my local HA.

becauseinterwebs · December 22, 2019, 9:02pm

You also don’t need to forward 8123 to 8123. You can just forward whatever external port you want to 443.

So on my router forward external port 443 to internal port 443 on my pi and not to 8123?

Tediore · December 22, 2019, 9:09pm

You can forward whatever external port you want to 443 internally. You just then need to add the port number to the end of the URL when you go to access it. I forward a high port (>20000) for obscurity to cut down on malicious attempts to access my instance.

becauseinterwebs · December 23, 2019, 12:53am

Ok that seems to have done it. I was out and decided to try it on my phone and it came right up

https://xxxx.duckdns.org

It does not work when I’m on my home network, but with the proxy I can still use hassio.local so all good.

Thank you!

Tediore · December 23, 2019, 1:18am

No prob! If you can’t load your instance using the duckdns URL internally, your router might not support NAT loopback (or it does but it’s disabled). Something to look into.