Let's Encrypt/DuckDNS/Hass.io error

Installation Home Assistant OS
62

Thanks for your detailed observation Shred,

Doesn’t seem like anyone read this or had anything to say about this.

I don’t know much regarding security, and how to track the IPs of people potentially looking into my setup, but with all the issues where people cant access the site remotely, browsers not liking the certs, not being able to access other than hassio.local, im going to sit this out, and just stay local with my logins.

63

Hi All,

I am still having trouble with this and have no idea why. I have the addon set up as per:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "domains": [
    "xxxxxxx.duckdns.org"
  ],
  "seconds": 300
}

obviously with my credentials in place of the x’s. In my confi.yaml I have the same as posted above:

http:
  api_password: xxxxxxx
  base_url: xxx.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

(although I am not 100% sure on the order these are in because I’m currently away and cannot access the config.yaml)

I have external ports 443 and 8123 forwarded to my rPi IP address within my router.

I was previously able to log into hassio using the duckdns address with :8123 on the end however it would always tell me that it was not secure:
image
As of 2 days ago, I cant access via the duckdns address at all and have to use my routers external IP address (and still get the above ‘not secure’) although according to the addon log (and my ISP data) my external IP address hasn’t changed in this time. When I log into duckdns my IP address registered with them is correct.

So I have 2 issues:

  1. its not secure and therefore I cant access my configurator remotely
  2. the duckdns side of things seems broken somehow in that duckdns knows my IP address but it wont redirect to my hass

Can someone please help me here?

64

Yeah, I may just be a little more paranoid than most but I just don’t like the idea of exposing a device to the internet that is only secured with a password, especially considering my secrets.yaml file is an unencrypted text file sitting on the RPi3. I also have no idea how secure Hassio is. If you do expose Hassio to the internet, I would recommend:

  • Use a different port than 443. I would do something in the 49152-65535 range as these are constantly open/closed for web browsing so a lot of port scanners don’t even scan these ephemeral ports.
  • Setting up your configuration to ban an IP after X amount of login attempts
  • Use a very complex password.

I’m by no means an expert in computer/network security but these are just things I’ve learned on my own. Personally, I’m using HomeBridge and I have an Apple TV, so I’m using HomeKit to control my devices from outside my network. I figure Apple has invested a lot more time, money and brain power in securing their services than I ever could. :wink:

1 Like
65

any ideas on the ‘not secure’ issue I have here?

1 Like
66

I too am having the issue where my browser says that the connection is not secure and I have to click around the warning to get to my front end. I am not sure why that is, it seems everything else is set up and working but that the connection is not secure.

67

Is there a way to fox this for local connections? I just got Let’s Encrypt working today (yea!) and now my tablets (Fire) running WallPanel won’t connect to HA in addition to getting this error on all my other local devices.

I have tried using hassio.local:xxxxx, hassio.local, 192.168.xxx.xxx:xxxxx, 192.168.xxx.xxx, xxxx.duckdns.org, xxxx.duckdns.org:xxxxx - along with http & https preceding each.

Very frustrating :angry:

Is it possible to add something like “allowed_networks”: [“192.168.0.0/16”], to the DuckDNS add-on to allow local access? I can’t use my duckdns address locally from any machine/instance… only when i am on a separate network altogether.

68

Any news on the insecure connection?
I can connect with Chrome, but i am also getting the insecure connection prompt.
Also, i can’t connect with the iOS App… :frowning:

69

I have been using this for a few weeks now but am also now getting a “Not Secure” prompt on Chrome. Running Hassio on an RPi3 via duckdns - any idea what’s causing this and if something needs to be fixed to keep it secure?

EDIT: I cleared the cache on my browser and this is now showing as secure… someone on another thread also shared this link which provides info on your security if you put your xxx.duckdns.org url in… https://www.ssllabs.com/ssltest/

EDIT 2: It looks like going to the Hassio Configurator is what causes the Not Secure prompt for me…as it comes up and stays until I clear the cache once I’ve ignored the chrome warning about accessing it…

70

If you’re using the local address in Chrome you’ll get the warning and it says on the warning page that it’s because it’s finding a certificate for your duckdns url not the local one.

Someone in the past mentioned they certified the local address to fix it, don’t know how they did it though.

1 Like
71

Did this get resolved? I see the same issue, it is fine logging in remotely as https://{sitename}.duckdns.org:8123 correctly identifies the certificate but inside my house https://hasio.local:8123 comes up as insecure as the certificate is not associated with hasio.local

72

Nope :smile:

73

I’m getting this too since I set up access through DuckDNS. It’s all working fine - but I don’t like seeing the red ‘Not Secure’ warning.

74

the certificate is associated with the duckdns address so it will always give you the red ‘not secure’ warning when visiting HA from a different address since you arent accessing via the address that the certificate is for

75

I understand what you are saying. Do you know if there is a way around it?

76

There are several:)

  • You can always use duckdns address, as well locally. What is reason why not?
  • You can set you home DNS (if your router support it) to return your local IP address for duckdns at home (and again - use duckdns every time)
  • You can register 2 ducknds addresses and mention both in certificate. Set one address IP to your local address (e.g. in hosts file), use address based on you are at home / outside

There will be much more possibilities…

1 Like
77

Could you expand on this please, I’m using AsusWRT.

78

Even I as well have AsusWRT I did not try this but some description how to configure it is here: https://github.com/RMerl/asuswrt-merlin/wiki/Custom-domains-with-dnsmasq

Idea of this is:

  • when you are on your local network network -> you ask your local DNS -> you receive local IP (e.g. 192.168.1.17 for something.duckdns.org).
  • when you are “in the wild” you ask “public” DNS server -> you receive address from duckdns DNS server (e.g. 88.33.178.11 for something.duckdns.org).
1 Like
79

Cheers, will give that a go later.

80

Works perfectly thanks, takes far longer to read the instructions than actually do. Had read about adding DNSmasq to devices before but didn’t think it was what I was after, hadn’t realised it was already the fundemental part of my router and you just add the IP divert to it.

If you give it a go, ignore this bit “to quit typing press ESC, to delete line press ESC and then write dd and press ENTER”, just seems to be there to confuse and isn’t part of what you need to do.

81

Just one final word: I’m not sure how Asus set this DNS record (how long it is valid). Restarging notebook will flush DNS cache, but if you are just suspending windows it could stay in DNS cache.

ipconfig /flushdns

is your friend then:)