I’ve been following the directions here to setup DuckDNS and certbot on my raspberry pi. I went followed the setup steps on the DuckDNS site and everything seems to check out.
The problem seems to be when I get to the step where I run this command:
./certbot-auto certonly --standalone --standalone-supported-challenges http-01 --email [my email]@gmail.com -d [my doman name].duckdns.org
I receive the following message:
The following errors were reported by the server:
Domain: [my doman name].duckdns.org
Detail: Could not connect to
http://[my doman name].duckdns.org/.well-known/acme-challenge/jiTTn65jU2y9ikjbDxE_NkXCwPZMxetCsEFuniRMVRc
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I’ve forwarded the recommended ports with my pi’s IP address, but I can’t seem to get past this error. Anyone have any suggestions?
I’ve only installed HASS via the all-in-one installer and SAMBA. Unless there is something within there that is running on port 80 I don’t believe I have anything running on it. Is there an easy way to to find out?
Going to the Pi’s ipaddress:80 times out and gives a “this site cannot be reached/refused connection” error message.
And when you ran the command in the blog, did you include the ""s that create a new line for the sets of commands? I missed that first time around.
Let’s try this: Do a port forward on your router so that any requests to http://your.duckdns.name:8123 go to http://your.insideIPaddress:8123 and make sure you can get to your HA install. That will make sure your port forwarding rules are working the way they should. It looks like for some reason your firewall isn’t passing the requests through.
I had a lot of trouble setting this up myself, so once you get to the step where the certs are created (hopefully) I will give you another piece of advice that isn’t explained well in the steps. But let’s see if we can get you that far first!
I’m starting to wonder if my ISP could possibly be the issue and maybe they have a firewall up that’s not letting me fully forward ports. It appears I don’t have full access to my router settings, but more so a “tool” provided by my ISP that links to minimal settings for my router. For port forwarding I’ll I’m really able to do is put in an IP address, the ports I want to forward, and select tcp/udp. I don’t see a way to forward from DuckDNS to my internal IP address with the settings I have available.
Also, without sounding too dumb… the IP address I want to forward the ports on would be my Pi’s IP address, correct? Not my routers IP address.
I ran the second command, exactly as shown - first time I ever saw backslashes in a command line. Didn’t even know what they did!
Firstly, duckdns needs to somehow know what your router’s outside address is. Sometimes this is done with a client that runs on a computer in your network, sometimes the router has provisions for this itself and can periodically contact the Dynamic DNS provider and give them the router’s outside address. This is what the DNS provider uses to establish your DNS name.
I have a Fios router and use no-ip.org as a DDNS provider. The Fios router has a client built in that you set up with your login info on no-ip.org and it tells them what my router address is. Over on the no-ip.org side, I set up my domain info and point it at my router (which is knows now and allows me to pick from a drop down list).
When it comes to port forwarding on my FiOs router, I usually choose to forward both TCP and UDP. And yes the IPaddress of your Pi is the right address. So without knowing your ISP’s router setup, you basically want to do this:
Take any TCP or UDP calls and accept them in the router, then take those calls and forward them to this specified IP address and specified port.
One way of testing if your setup is working from end to end would be to set up a port forwarding rule to take any calls on port 8123 and forward them to your Pi’s IP address at the same port. Then try to go to your HA site by typing in:
If you see your HA site, then you know you have both duckDNS and your port forwarding setup correctly. Just remember to delete that rule before you try to setup Let’S Encrypt again. This is just for testing!
If that doesn’t work, then you have to figure out what isn’t setup correctly before you go any further.
Ok, initially I was running the code without the “”. I tried running it as I have above and I’m still getting the same “unable to connect” error message.
I believe my DuckDNS situation is ok. In the documentation I linked above there is a section that sends you over to DuckDNS to install some things on the Pi that will send your IP address to DuckDNS ever 5 min. I tested the script and log. Everything appear to be what you would expect, according to the documentation.
I tried you test above, forwarding port 8123 to my Pi’s address, and going to yourduckdnsname.org:8123, but had no success. I’m still convinced this might be an issue with my ISP. I gave them a call to see if they had a firewall up somewhere. They claim no and that when the log into my router they can see that the ports are forwarded and open. However, when I check them they still show closed. Sooooo… still kind of at a loss on what to do next. :-/
The only thing I can suggest at this point is to check your IP numbering scheme. I use a Class C address as I don’t have to much traffic to isolate so everything is 192.168.1.xxx. But if you can ping the router and outside addresses from your Pi, I’m stumped. Have you tried loading aGUI session and trying the RasPi browser to see if you can see outside sites?
I’m sorry, Rene - I have no experience with the Fritzbox. And I did my setup so long ago, I can’t remember the order in which I set it up. I used the techniques described in this video, if it’s of any help.
I ran through the few notes I kept on this and compared it to what was in the video and what steps you outlined above.
I don’t have anything about disabling 8123 forwarding until AFTER I got a valid certificate. I forwarded the same ports as you, same way, for the certbot procedure, then I changed forward on 443 to the Pi’s 8123 port.
I have something on my notes about Apache - it might be worth checking to make sure you don’t have another service running on 80 or 443.
I’ve dug through a number of searches on the Let’s Encrypt support site but I couldn’t find anything that seemed to apply to your situation. Most them were authentication failures from the DNS host, but you’re using duckdns and that should be set up to pass through fine by default.
thought about that too.
i can reach my fritzbox settings from the outside.
to be sure thats not the problem i turned that off.
i turned of hass, dashboard and appdaemon this morning too.
i think that the big problem lies in the fakt that the duck.sh finds another (outside) IP address and gives that to duckdns, then the outside ip address i see in the fritzbox.
why?? what could be the reason that the RPI thinks that the outside address is something else then what the fritzbox says?
If you type ifconfig at the command line of your Pi, it will show you the interface configuration (network set up). That will tell you how things are routed and what’s active and what not. Link explains some of this despite the title.