HTTPS only works a few minutes

NilsK89 · July 9, 2023, 11:58pm

I don’t know why but I can’t get htts to run properly.
I have a Fritzbox and Nginx on Homeassistant.

Today I accidentally noticed that my https works if I rename my WLAN connection and back again.

What connection can this have?

My Nginx/Homeassistant is connected via LAN.

In the WLAN there is only a printer, a few Shellys, Google Assistant loudspeakers and of course laptops/cell phones/TV

When I test my Https connection with my cell phone via 4g, it works. This error comes up in the WLan:
NET::ERR_CERT_AUTHORITY_INVALID

with Chrome and Edge

cornellrwilliams · July 10, 2023, 12:24am

When you setup https did you specify the different ip addresses of your home assistant instance or just the dns name?

NilsK89 · July 10, 2023, 10:58am

That is my config:

http:
  cors_allowed_origins:
    #- https://xxxxx.duckdns.org 
    - https://google.com
    - https://www.home-assistant.io
    - https://cast.home-assistant.io
  ip_ban_enabled: true
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    #- 192.168.2.0/24 
    - 127.0.0.1 
    - 172.30.33.0/24
    - ::1

SVD-NL · July 10, 2023, 11:41am

Hi,

The error you’re specifying means that the certificate of the server does not match the hostname or domain name you entered in your navigation bar.

Please check if you are using the exact same connection string and port.
There’s basically three possibilities i can think of:

You end up on the right server, but you’re using the wrong url. Make sure to use the same url inside and outside your network.
You are accidentally connecting to the wrong port, and there’s a web server running there as well.
There are issues with NAT loopback/hairpinning (a known issue on some FritzBox routers)

If you are sure you’re connecting using the same url, and if you ignore the warning and still end up on home assistant, 1 and 2 shouldn’t be the issue.
For 3 it is possible you end up on your router’s web interface if you continue.
It would be helpful if you shared what happens if you ignore the warning.

I would recommend trying the following to eliminate the router as a variable:
Use a local DNS resolver to resolve your domain name to a local IP address.
Some routers allow you to set this up, for example draytek. I don’t think fritzbox allows you to do this.

In that case you’ll need to use a separate DNS server, like pi-hole or unbound.

If none of this is set up yet, you can test this by using an entry in your hosts file from the device that is connecting. Tutorial:

This effectively does the same, but you’d need to set this up for every single device.

NilsK89 · July 12, 2023, 9:13am

Thank you for your helf.
I wrote XXX.duckdns.org in the Rebind Security
in Windows CMD I did ping -a XXX.duckdns.org and got a IPv6.
Then I disabled IPv6 and…it works.

Is there a better way to do this? Maybe i need IPv6 in the future.

SVD-NL · July 12, 2023, 8:16pm

I’m not sure what you’re referring to with “Rebind Security in windows cmd”. Do you have a link describing the process, or can you show the commands you used?

Can you show the nslookup output for that domain? (Or basically how many rows you get and if they’re IPv4 or IPv6 adresses)

As for IPv6, it should be possible to use those alongside each other, but if it is causing issues, I’d recommend disabling it. Mixed networks sometimes just don’t play nicely, and trying to solve it can be a huge headache.
I can’t really see any situations where you’d need IPv6, the only reason I’d personally use it is if my external IP changed to IPv6, and in that case I’d likely disable IPv4 to prevent having to manage two networks.

(This hack made the mistake once of making a nice IPv4 network with separated VLANs and all, but forgetting to turn off IPv6 which somehow ended in every device connecting through IPv6 and being in the same LAN…)

NilsK89 · July 13, 2023, 10:31pm

nslookup:

Server:  fritz.box
Address:  192.168.2.1

Nicht autorisierende Antwort:
Name:    XXX.duckdns.org
Addresses:  2X3:fX:7fff:1XXf:dXX39:XXX:feXX:31e5
          87.1X.12X.XX0

This is the text from the Fritzbox about Rebind Security:

DNS-Rebind-Schutz
Ihre FRITZ!Box unterdrückt DNS-Antworten, die auf IP-Adressen im eigenen Heimnetz verweisen (DNS-Rebind-Schutz). Hier können Sie Ausnahmen angeben, für die der DNS-Rebind-Schutz nicht gelten soll. Tragen Sie dazu den vollständigen Hostnamen (Domainname inklusive Subdomain) in die Liste ein.

SVD-NL · July 14, 2023, 7:45am

DNS-Rebind-Schutz

Looks like you’re on the right track with that one.

It looks like it’s connecting through IPv6 by default. Have you set up external access for the IPv6 address as well as IPv4? (Assuming IPv6 is available on the WAN side)