How to make DuckDNS addon work?

So, I believe I have followed the instructions at https://www.home-assistant.io/blog/2017/09/27/effortless-encryption-with-lets-encrypt-and-duckdns/

(1) Signed up for a domain with duckdns

(2) Installed and configured the addon

domains:
  - <redacted>.duckdns.org
token: <redacted>
aliases: []
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300

(3) Updated the configuration.yaml with

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

(4) Set up port forwarding on my router from incoming port 8123 to port 8123 on the Home Assistant local IP address.

Accessing from outside - using the Home Assistant Android app with wifi disabled to connect to https://<redacted>.duckdns.org:8123 - just says the connection failed, with no useful diagnostic information.

Accessing http://homeassistant.local:8123 from within the LAN no longer connects.

Accessing https://homeassistant.local:8123 from with the LAN does connect, but only after telling me I’ve got an insecure connection and showing the “https” crossed out.

The pem files have been created in the correct place.

Any suggestions as to how I start to diagnose this please?

That is to be expected. The security certificate is for your DuckDNS domain not homeassistant.local.

Does the public IP address assigned by your ISP and reported by your router match the IP address reported by the DuckDNS web admin page (where you signed up)?

(1) Yes … not very pretty. Accessing the duckdns URL from within the LAN doesn’t work either, I should have said that - perhaps that’s the way to go once I’ve got it working.

(2) Yes, it matches.

Actually, in the case of trying to access the duckdns URL locally WIreshark tells me that the browser’s SYN packets are responded to with RSTs … which can’t be the Raspberry Pi objecting to the 8123 port, otherwise the homeassistant.local address wouldn’t work …

… so it must be my router refusing to forward the port. I can understand it might refuse to forward the port if accessed from the LAN, because it might think that’s silly, but that doesn’t help me understand what’s going on from an external connection. I guess I could set up the laptop to access the duckdns address from outside the LAN using the phone as a hotspot and then see whether Wireshark reports the same behaviour … in which case I’m probably looking for help on a DrayTek forum …

Yep it’s called NAT loopback or “hairpinning”. Your router knows the ultimate end point is in your local network and so just redirects packets without exiting your network.

The matching IP addresses are good. That means your ISP is not using CGNAT, which is incompatible with DuchDNS.

So … it’s see what happens with the laptop and the tethering and Wireshark, and then probs go to a DrayTec support site …

Thanks so far.

On re-reading the router manual I find an “enable” check box that I’d missed the first time (I’ve never used this feature before) …

Possibly relevant if the app continues to not connect: Reddit: Duckdns.org my domain has dangerous deceptive site ahead warning in red, cant access from android app also

But also, if you find yourself with multiple web services on your pi (or more generally, hosted on your home network), I’d recommend disabling certificate generation in the DuckDNS add-on (accept_terms: false and undo the configuration.yaml changes) and instead use the Nginx Proxy Manager add-on, which does hostname-based routing (so you can tell it to route https://ha.<redacted>.duckdns.org, to homeassistant.local:8123) and can manage the certificates for you.

Also, I had to do this: Home assistant (400 Bad Request) Docker + Proxy - Solution

I get enough of nginx in the day job thanks all the same … but yeah, I get that I can do what I like with certificates that way.

Thankfully, NPM does not require fiddling with nginx configuration

And with the router configuration apparently corrected it still doesn’t work, same symptoms.