Hi,
today I have changed from a Fritzbox to a Unifi Security Gateway. Everything is working fine except for the remote access of my HA instance. The DuckDNS add-on is still running without errors and has already reported the new IP address which I have received from my ISP after the router swap. However, when I try to access my HA instance from outside of my home network, it doesn’t allow me to do so and tells me “An SSL error has occurred and a secure connection to the server cannot be made”. I have configured the port forwarding exactly as on my old router. Port 443 -> Port 8123 of my Raspberry Pi running HA. Do I have to renew the certificate because of the router change? Or any other ideas what might cause the problem?
Thanks and regards
I can see these questions getting asked more and more as mesh wifi market grows…
Port forwarding is all about inbound connection from the WAN (internet) to the LAN (your network) so outbound is not affected by port forwarding. So the above is invalid as the DuckDNS plugin is making outbound calls to DuckDNS server NOT visaversa.
So you are trying to access port 443 on your WAN IP (public address) via DuckDNS (DNS server) which can only see the WAN IP which is part of your modems network.
However I imagine your Pi is on your Unifi network not your modems network. So how can DuckDNS see your Pi if it is not on your modems network but the Unifi LAN
DOUBLE NAT
Inbound connections come through the NAT so DuckDNS 443 request will hit your modem and your modem must port forward that traffic to a LAN IP address. So under your NAT settings or close too port forward 443 to your Unifi router. Now all 443 traffic heads straight into the hands of the Unifi’s NAT.
In your Unifi admin area port forward 443 to your Pi. Now you have rules for 443, hit modem via WAN > go to Unifi IP > go to Pi IP then HA can deal with the rest.
ps in your modem make sure your Unifi router has static IP otherwise it will change next reboot.
First of all, thanks for the quick reply! I’m not running Double NAT. The USG has a public IP directly from the ISP. Just as my old Fritzbox did. And when trying to access the HA instance with the duckdns url, it can make a connection to HA on the Raspberry Pi, which I can see because Lovelace starts to load but then terminates with a screen showing the HA symbol and says “Unable to connect to Home Assistant” with a RETRY link underneath. Once I click retry then Firefox says that the page failed to load because it didn’t comply to the network protocol. In the iOS app it fails to load and says “An SSL error has occurred…”. So this is not a problem of not being able to reach the Pi from outside but some problem when trying to load lovelace.
I also just updated the certificates with the duckdns add-on which went perfectly fine. So this also does not seem to be the problem.
No. A certificate doesn’t care what your public IP address is. It doesn’t even know what an IP or router are. It’s simply associating a domain name with a valid certificate.
This could be a simple cache on your device, and doesn’t necessarily mean it’s actually connecting
Check your firewall. On ubiquiti devices there is a firewall and NAT. 2 separate pieces.
I did get it to work so I can connect via HTTPS from inside and outside. Only thing that isn‘t working yet is my NGINX setup so that I can still access HA via HTTP from my local network.
Why not use nginx for your reverse proxy, let it handle the certificate, and you can use local http and remote https?
That’s what I just did. My initial error was that I forwarded port 443 to port 8123 on my Pi which of course doesn’t make sense when running a reverse proxy. Now with port 443 forwarded to port 443 on the Pi running NGINX and HA it is now working as before.