TL;DR It does not seem possible to access my home Pi HA (Supervised Install 2023.11.3) via the mobile phone network using DuckDNS to provide a public DNS entry.
In full: I’m using The DuckDNS integration for a DNS entry to allow remote access to my Pi HA . e.g. via the companion app (2023.10.2-full). This has been unreliable for months, with access failing around 20% of the time with a SSL handshake error.
However the problem now seems to be permanent. The SSL Certificate is valid (in date), and the HA node is set to the right time. Which seem to be two common causes of problems.
Having investigated this, it appears that I only have the problem when I’m using the mobile phone network to access HA. If I use my home WiFi/ISP (still using the DuckDNS public DNS entry) it works fine.
The error message from the app logs is:
11-24 15:59:31.550 20649 21484 E chromium: [ERROR:ssl_client_socket_impl.cc(975)] handshake failed; returned -1, SSL error code 1, net_error -107
But the app doesn’t actually seem to be the issue. If I trying accessing HA via Chrome on my laptop I see the same behaviour: it works via WiFi and fails using the mobile phone (4G) network.
The chrome browser console does not seem to help much either. All I get is:
Failed to load resource: net::ERR_FAILED
core-_QvDdm__sa4.js:1 WebSocket connection to ‘wss://xxxxxxxxxxxx.duckdns.org/api/websocket’ failed:
Is this due to the Mobile Phone Network blocking the connection (I do get the ‘unsafe’ warnings from Chrome when using the xxx.duckdns.org address)? Or is something on the HA node that is not configured properly?
You’ve left out some important information: namely, in the post you linked, nginix is being used. Are you using that as well? Tell us about your entire traffic flow and certificate setup, urls, etc.
Hi, no nginix. I’m just using the HA DuckDNS Addon, with all the default settings. With port forwarding on my router to map 443 to 8123. The URL is a duckdns.org one.
What URLs are you using to connect to home assistant from the inside and the outside? You can use xxxx on the hostname, but please be specific on the rest, including any port numbers appended after the URL.
exx, thanks for your help. But I was 99% certain this is due to the mobile phone network operator blocking the duckdns.org address. So I’ve given up on that and just gone for the Let’s Encrypt addon (no duckdns) with my own domain name. And everything now works fine.
I will need to write a simple bash script to implement my own dynamic dns solution. But that seems much more reliable in the long-term than relying upon what ISPs may or may not permit in terms of duckdns.org in the future.
I’d be HOPPIN mad if my isp - mobile or otherwise - was filtering traffic, and would switch to a different one immediately. But maybe that’s just me loving freedom.