Lost remote connection, mostly

I have been running Home Assistant for half a year or so for my alarm. All has been well. We are running on an Rpi, and have installed DuckDNS and NGinx per https://help.konnected.io/support/solutions/articles/32000023964-set-up-hass-io-with-secure-remote-access-using-duckdns-and-nginx-proxy?gclid=CjwKCAiA-f78BRBbEiwATKRRBLL6gzPz1XjTQ16gBgVlNh7w-HtzQaEmDWl2C2FVdcI2VXqLKnhiXBoCSx4QAvD_BwE

We are now on a trip, and halfway through the trip have lost remote connection, mostly.

I use the HA Android app, but also was able to connect via browser in my android or laptop, at https://[mydomain].duckdns.org. We lost connection, and have been unable to restore. Unfortunately, I did not set my router to pass through SSH, so I have limited ability to do anything.

I asked my neighbor who is cat watching to reboot the Pi, but that did not solve.

Within the house on the local network (using http), the wall-mounted tablet (running WallPanel) still communicates ok.

From my tablet on the road, the app indicates “Unable to connect to home assistant”, with wait, refresh, and settings. It does display the HA logo (behind the pop-up) with a “retry” link.

From tablet in browser, it would render the top blue bar and the HA logo, with retry link. If I hit retry, then it would try to go to https://[mydomain].duckdns.org/lovelace, and would say “This site cannot be reached”, might be down or may have moved permanently to a new web address. I tried deleting cached data from the browser, which logged me out, so next try was same sequence (HA screen but no connection, then cannot be reached), except now the site is https://[mydomain].duckdns.org/auth/authorize?xxxxxxx where xxxxxx is a bunch of stuff, probably related to my key.

It would appear therefore that the router at home is not the issue, it seems to be passing me through to the Pi. But the Pi is not allowing access, though it serves up the logo.

Now for the strange part. Despite not being able to log in via the app or browser, I am still getting notifications via the app. When neighbor goes to feed the cat, I get a notification that the door opened, and the alarm is disabled.

So clearly the path is open, and we are getting some communication, but the web interface does not work. It does appear to work within the home (http, not https).

I have port 443 forwarded through the router to HA on the Pi. I think 80 and 8000 are redirected to camera system, but I don’t recall for sure.

I suspect that it has to do with the certificate. Some posts have indicated that cert may need to be renewed. Others indicate that should be automatic. If this is the case, how do I do that, and if needed, can you give explicit enough instructions that neighbor could do it from the wall panel? (Although that account may not have privileges). If not the cert, what else should i look at?

On the Pi I am running the Hassio image installation.

Oh, I also tried going direct to my home IP without Duckdns, same result

Thanks for any insights. Even if I have to wait until I get home, at least with your help I can resolve this.

Chuck

Did you update home assistant?

Not recently. It was working first few days of this trip (and for months), but then suddenly quit.

It is version 114, as the later version did not work properly with BWAlarm, awaiting updates on that software. Last update was probably a month ago, was working fine since then.

Nothing should have changed while I have been gone.

Chuck

There have been a few automatic supervisor updates. You have no control over that. I wonder if it is a supervisor compatibility problem?

I would think that would kill Lovelace on internal as well as external? Internal (port 8123, http) still works

Chuck

OK, I think we can confirm the issue is certificate renewal:

I tried https://www.ssllabs.com/ssltest/, and the report indicates my certificate expired Nov 1. It was valid from Aug 3, and I did nothing at that time to renew. So somehow it did not auto renew this time around, and I have no idea how, either here or at home, to manually renew the certificate. Issuer is LetsEncrypt Authority X3.

So, any help to point me how to resolve an expired cert would be great!

Thanks
Chuck

Yeah it would. Must have scanned past your wall panel working.

It does sound like a certificate issue. While you don’t need to forward port 80 now (and renewal is automatic) I wonder if having port 80 used by your cameras could be an issue?

Another thing to check, is your public IP address routeable?

i.e. has your ISP changed to using CGNAT?

Is your system time correct (that can cause certificate issues)?

I believe system clock is correct (but cannot check from here since no access). I have not had issues with clock (or date) prior when looking at data form connected sensors on my water tank.

I cannot tell you if ISP has changed, except that I am getting into HA, just stops there after displaying logo. The IP has not changed in about 2 years at least, and appears to still be the same. The SSL checker noted above found the right machine, so I assume it is routing the IP correctly.

I suspect I will not be able to do anything to renew the cert until I get home. But clearly it did not auto renew.

It is possible that I updated DuckDNS add-on in August, and perhaps that triggered the renew of the cert. I see some people saying to remove DuckDNS and NGINX and then re-install, but that should not be needed. Perhaps my logs will show something, but again, need to wait until I get home.

Specifically what to do to force a missed update would be helpful, if there is something short of uninstall/reinstall

Thanks
Chuck