Note that I have a very limited experience with Home Assistant and therefore I may ask stupid questions.
When I have installed DuckDNS it did not work as expected for me therefore, either I was not doing things correctly, either the documentation is incomplete, or DuckDNS is not working as expected.
I just installed Hassio on RPi 4b and I am now in the process to add the must have add-ons.
First, the documentation for DuckDNS does not say anything about port forwarding. Although you may use any port to connect to HA from outside, the default https 443 port seems the right choice. So on my router I have forwarded port 443 to port 8123 of my HA for the tcp protocol. But I have also seen some people that recommend to forward 8123 to 8123.
To configure DuckDNS I have followed the documentation: in the add-on configuration, I have changed accept_term, token, domain and started the add-on. With this configuration if I try to connect using https://my_domain.duckdns.org I can see the HA logo and a message “initialization” but nothing more happen. Yet if I try to connect with http://my_domain.duckdns.org:443 I can log in HA but not in secure ssl mode. Therefore, if I strictly follow the documentation DuckDNS does not work for me.
I did some search on the problem and it looks like many people have the same problem. I tested several proposed solutions until I found one that worked for me. In the configuration.yaml file I have added the following 3 lines:
and I have restarted the HA server. Now I can connect to HA in secure mode using https://my_domain.duckdns.org address. A side effect is that HA server does not accept anymore a non-secure connection like http://my_local_ip:8123 but I can connect locally using https://my_local_ip:8123
Two questions:
Is this the right way to configure HA to use DuckDNS with ssl?
If so why this is not correctly documented?
Side question:
As I said, I am new with Hassio and I am confuse about the configuration mechanisms: I thought that everything concerning the HA configuration was kept in the “global” configuration.yaml file but it seems that the add-ons have also some “local” configuration information. In the case of DuckDNS it seems that the ssl certificate and key information needs to be specified in the add-on configuration as well as in the configuration.yaml file. Is there a prioritization of the information specified? For example, in this case the ssl information are specified in the “local” and “global” configuration. What if I specify different values?
Yes it is correct and the thing with HA is it keeps changing on regular basis, what i do is follow a few people on youtube like Drzzs and Jaun MTech who also publish his setup in text format for you to copy like this, which states the correct ducksdns setup …https://www.juanmtech.com/guide-to-home-assistant.
i must admit when i first tried to set it up a couple of years back it was a right pain trying to follow the install, but got it sorted in the end, so your not alone.
If you also enable the “NGINX Home Assistant SSL proxy” add-on, you can keep your local connections to port 8123 http-based, and the outside connection will be secured on the default https port 443. On my router, I only have a port forward from port 443 to port 443 of HA.
I use the default configuration of the add-on, the only thing I changed is the domain setting. I did not change anything in configuration.yaml for this.
I think I now understand better how this works. DuckDNS add-on is responsible to get the ssl certificate, to store them in ssl directory, and to update the “current ip” in DuckDNS site.
The only thing it needs to work is a port forwarding to get information from outside (certificates, DuckDNS, …). For the test, I have used port 443 as the external port redirected to 8123 but it seems that forwarding 8123 to 8123 also works. Once this is done it is possible to access HA server from outside with http but NOT https
In order to use https you need to tell HA server to use the ssl certificate. This is done by using the http: section in configuration.yaml. While this is not the business of the DuckDNS add-on, it would have been nice to better document the all process. I feel the documentation is incomplete.
@Kars : Seems a good solution with DuckDNS I will test it
@kars Sorry for some reason I did not see the configuration file but now I see where I need to modify the information. I also see that there is a network section that indicate the port 443
Seems like the only thing I need to do is to change the domain name in the add-on and remove the http: section from configuration.yaml
Just tested NGINX and it works great.
Now HA seveur has the port 8123 open for http local connection and the port 443 open for ssl external connection.
I had to change the port forwarding in my router to external 443 internal 443 as you explained.
many thanks it is a much cleaner solution and seems to work perfectly.