I use the outside URL when I am on my internal network. If you use the inside address, that address does not match the certificate name.
I have Use internal URL unchecked.
I’ve tried that, but apparently my ISP (Spectrum) doesn’t allow “NAT loopback”, which is when you’re trying to go outside of your internal network and then back in again. For instance, if I put the duckdns URL into my laptop browser, it takes me to my router login page. I think this is probably exactly why the developers added the internal URL setting field in the app, but it isn’t working for me.
One other note here though: I am able to access HA using the internal IP on my laptop. I can’t figure out why the phone is treated differently.
On your laptop you likely told your browser to accept the certificate anyway. There is no good way to do that with the app/
Yeah, you really just want to get NAT loopback working. If your current router doesn’t do that, I suggest replacing it.
My understanding is that the NAT loopback issue is based on the ISP’s rules rather than a router capability, but someone please correct me if I’m wrong.
The most confusing part of this is having gone through the work to have a formally signed SSL certificate (per certbot and letsencrypt) and still be told by the browser that the certificate isn’t trusted… I used this guide more or less:
I even tried importing the cert.pem into the phone as a profile, but that did nothing.
If your Router support custom DNS Settings you could override your DuckDNS with your internal IP. Or setup your own DNS Server on your HA Host and change your DHCP Server Settings to this DNS if possible.
Mapping: somebody.duckdns.org -> 192.168.0.5
no it’s your router blocking this, not your ISP
1 Like
I think “NAT loopback” may refer to the same thing as “NAT Reflection”, but perhaps not. For me, to make this work I had to enable Nat Reflection on my router. NAT Reflection is definitely not an ISP issue, it’s handled entirely by the router, but how to enable it will vary by router model.
1 Like
My router calls it DNS Rebind Protection. I have to add my duckdns domain to the list of exceptions.
Sounds like it’s time for me to go looking at what 802.11ax routers are out so far 
Thanks for the help everyone- this community is terrific!
I know this is an old thread was there ever a resolution for this?
I’m on the Home Assistant IOS app v1.5.1 with the same problem (ssl cert for my external facing connection doesn’t work on my local network, so the app won’t connect).
It’d be nice to have an “ignore SSL cert error” button in the Home Assistant IOS app.
When I try to just use the native IOS Safari browser, I hit my local hassio interface, can login, but then I get the error “Unable to connect to Home Assistant” (running IOS v9.3.5).
I followed @brahmafear’s advice to replace my router with one that supports nat loopback and it solved my issue.
If I am using AdGuard can I set the redirection up in here? Means I don’t have to touch the router. If so where would I do it? Should it be in DNS rewrites or custom filtering rules, I am unsure of the difference, thanks
I don’t think you can do that, but I’m no network engineer. It seems like the newer routers support loopback out of the box though… my ASUS doesn’t even have an option to disallow it.
That guide has a section on how to do exactly that using adguard
@olbjan a dns lookup from the phone still gives the external IP address - I have posted this in the adguard page. From Windows it will resolve to the internal address, and with IP tools on the phone, pointing explicitly to my hassio IP address for the DNS Server it will resolve to the internal IP address, however a generic DNS lookup will give the external address.
The latest version of the App (upgraded last night) recognises the instance (I deleted the data and restarted the app), however still won’t connect.
Turning off IPv6 on the router enables me to connect, however this isn’t a workable solution other than to highlight that it appears to be a IPv6 DNS issue.
This’ll sound callous but… just add the AAAA record to duckdns or whatever your dns provider is as well? 
will hassio run both IPv4 & IPv6 at the same time now, or is it still one or the other? The documentation isn’t clear (to me)
Mine is ONLY accessible via IPv6 (domain only has a AAAA record) But I do use a reverse proxy as well.