I am a little confused by the state of things with DuckDNS.org & accessing my HAOS instance. I’d understood that the DD (DuckDNS) addon would assist with keeping my install accessible from outside my local network, such as when at a friend’s on their WiFi or when on mobile data.
Whilst I have a fundamental comprehension of what an SSL cert is and what it affords us, I can say I don’t really understand how they work. And so I jumped for joy and called my ex-wife and dead Uncle to tell them of my excitement at having successfully got a secure connection to my HAOS at home.
I used the laptop to check it and everything seemed fine, using my shiny, new https://mysubdomain.duckdns.org address, I was fondly navigating around HOAS like a BOSS!
Then… I went out. And my instance wouldn’t load through the companion app on my Android device. I presumed I’d got something wrong. When I came home today from work, I couldn’t get it working on my laptop either. I managed to log to HAOS via https://192.168.x.y:8123 and checked the DD logs - all it says is everything (the IP address from my ISP) updated ok.
Also, when I was using it last night, although I managed to successfully log in via the domain address, I noted that a few certificate checkers didn’t seem to recognise it despite my browser assuring me it was a secured site.
And finally, I’m hoping to integrate SmartThings at a later point… I can’t seem to get beyond the webhooks at this time. However, that isn’t my current issue (well it is, but not what I’m posting about this very moment)… My concern is whether an SSL cert from DD is considered a “self signed” certificate or not. Can anyone please advise? I’m going to hazard a guess that it isn’t considered self-signed as, if I’ve understood correctly, the DD addon acquires the certificate from LE (Let’s Encrypt) as oppose DD itself… is that right?
Did you install the NGINX Home Assistant SSL proxy also?
When using a SSL certificate it is wise to install this one too, so you can internally access your instance as also with your duckdns URL.
Please read the documentation carefully before installing.
Duckdns handle the DNS registration on the internet, so your something.duckdns.com.points to your router.
You still need to set up access through your router.
Some use NGINX for this and then open ports, which enables a certificate secured connection.
Here there should be a lot of warning notes in the guide though, because although the connection is secured so other people can’t read the messages sent, it is still not that secure, since the authentication of who is allowed to use the connection is left up to HA or one of the possible many addons.
HA and all the addons have functionality and features before security, and there are alot of those.
You need just a breach in one of those an your entire network is open to the world.
HA is thinking about security all the time, but it’s just a big program and they can’t control every single add-on in every single aspect.
All security advices will tell you to install a VPN service instead. A VPN service is a program that are all about controlling the network traffic so it’s secure and authenticated correctly. The maintainers only think about this.
Once the VPN service approves a connection it lets it in on the internal network and then HA work as the internal version you already know.