Help with Unifi USG / Let's Encrypt / DuckDNS settings

I had a nicely working install of Hassio 61.1 with the DuckDNS/Let’s Encrypt add-on running on my EdgeRouter X. I had enabled NAT Hairpin and forwarded port 8123, and that was about it. I was able to access Hass at https://mydomain.duckdns.org:8123 from inside or outside my network.

I just swapped the EdgeRouter for a Unifi USG, still forwarding port 8123 but I can’t find any setting for NAT Hairpin. Now I can no longer access the domain name due to a certificate error. I can still reach it locally at https://192.168.1.999:8123 but only after trusting the bad certificate, which the browser said was expired May 10th.

I updated the DuckDNS Add-On from 1.0 to 1.3 but it didn’t help.

Here’s the log from the DuckDNS Add-On, telling me the cert is not expired, and DuckDNS is hitting the correct external IP:

starting version 3.2.4
# INFO: Using main config file /data/workdir/config
+ Account already registered!
Wed Jun  6 09:03:01 PDT 2018: OK
71.xxx.xxx.xxx (redacted)
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing mydomain.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jul  9 12:58:19 2018 GMT (Longer than 30 days). Skipping renew!

I’m guessing that I don’t have my USG configured correctly, and/or something went wrong with the certificate updating process. Any ideas on what I need to change to get this working again?

Sure duckDNS has right IP address.
Since you got a new router maybe the IP address change but duck DNS didn’t update

EDIT
Nevermind I think I see it in the log file that she sent

Did you get a solution to this? I’ve pretty much done exactly the same thing - switched from an ER-X to a USG.

Same issue here. Have you found a solution to this?