No Access from Android Device (SSL Handshake) if using Mobile Phone Network, OK via WiFi

TL;DR It does not seem possible to access my home Pi HA (Supervised Install 2023.11.3) via the mobile phone network using DuckDNS to provide a public DNS entry.

In full: I’m using The DuckDNS integration for a DNS entry to allow remote access to my Pi HA . e.g. via the companion app (2023.10.2-full). This has been unreliable for months, with access failing around 20% of the time with a SSL handshake error.

However the problem now seems to be permanent. The SSL Certificate is valid (in date), and the HA node is set to the right time. Which seem to be two common causes of problems.

Having investigated this, it appears that I only have the problem when I’m using the mobile phone network to access HA. If I use my home WiFi/ISP (still using the DuckDNS public DNS entry) it works fine.

The error message from the app logs is:

11-24 15:59:31.550 20649 21484 E chromium: [ERROR:ssl_client_socket_impl.cc(975)] handshake failed; returned -1, SSL error code 1, net_error -107

But the app doesn’t actually seem to be the issue. If I trying accessing HA via Chrome on my laptop I see the same behaviour: it works via WiFi and fails using the mobile phone (4G) network.

This seems similar to what was reported here:
Home Companion issue when accessing with with a ssl certificate (external access) but there is no solution.

The chrome browser console does not seem to help much either. All I get is:

Failed to load resource: net::ERR_FAILED
core-_QvDdm__sa4.js:1 WebSocket connection to ‘wss://xxxxxxxxxxxx.duckdns.org/api/websocket’ failed:

Is this due to the Mobile Phone Network blocking the connection (I do get the ‘unsafe’ warnings from Chrome when using the xxx.duckdns.org address)? Or is something on the HA node that is not configured properly?

1 Like

You’ve left out some important information: namely, in the post you linked, nginix is being used. Are you using that as well? Tell us about your entire traffic flow and certificate setup, urls, etc.

Hi, no nginix. I’m just using the HA DuckDNS Addon, with all the default settings. With port forwarding on my router to map 443 to 8123. The URL is a duckdns.org one.

A bit more information:

$ curl -v https://xxxxxx.duckdns.org

  • Trying nnn.nnn.nnn.132:443…
  • Connected to xxxxxx (nnn.nnn.nnn.132) port 443 (#0)
  • ALPN: offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS alert, access denied (561):
  • OpenSSL/3.0.8: error:0A000419:SSL routines::tlsv1 alert access denied
  • Closing connection 0
    curl: (35) OpenSSL/3.0.8: error:0A000419:SSL routines::tlsv1 alert access denied

What URLs are you using to connect to home assistant from the inside and the outside? You can use xxxx on the hostname, but please be specific on the rest, including any port numbers appended after the URL.

exx, thanks for your help. But I was 99% certain this is due to the mobile phone network operator blocking the duckdns.org address. So I’ve given up on that and just gone for the Let’s Encrypt addon (no duckdns) with my own domain name. And everything now works fine.

I will need to write a simple bash script to implement my own dynamic dns solution. But that seems much more reliable in the long-term than relying upon what ISPs may or may not permit in terms of duckdns.org in the future.

I’m having the exact same issue - 0A000419 when using a mobile ISP.

Are you able to share the script you used to make it work with your own domain? Thanks.

Hi, I essentially used this one: https://james.pawsforthorpe.co.uk/posts/2019/12/route53-dynamic-dns.html.

To make this work you will need an aws account and your own top level domain you can hang the HA sub-domain off. But luckily I already had these.

Subdomain? What Subdomain?

I’d be HOPPIN mad if my isp - mobile or otherwise - was filtering traffic, and would switch to a different one immediately. But maybe that’s just me loving freedom.

2 Likes

Resolved for me by using ngxinproxymanager