Remote access (Duck DNS, letsencrypt)

Argo · May 31, 2018, 5:51pm

Hey there!
Working on remote access on hass with https://www.home-assistant.io/addons/duckdns/
I’ve installed Duck DNS addon, here is config

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "••••••••",
  "domains": [
    "Mydomain.duckdns.org"
  ],
  "seconds": 300
}

Next I’ve wrote in configuration.yaml:

http:
  base_url: https://homefortest.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Then I’ve sent 443 port to 8123 and to local ip of HA
Then I tried to open Mydomain.duckdns.org and got nothing there.
Where am I wrong now?

Upd:
Found this

tom_l · June 1, 2018, 1:28am

The developer tool menu is at the bottom of the left-hand menu panel in Home Assistant. Choose the ‘i’ in a circle. Or check the home-assistant.log (same folder as your YAML files).

Argo · June 1, 2018, 3:18am

Thank you, got “http” two times. Now I fixed and rebooted the system and can’t open HA local page. Tryed to put https and then IP but chrom said that it’s unsafe.
Some advices?

tom_l · June 1, 2018, 4:21am

This is expected behaviour. The Lets Encrypt certificate is for your DuckDNS address not your local one. So you can:

Add a certificate exception in Chrome for your local network IP address, or
Visit the DuckDNS address.

Bobby_Nobble · June 1, 2018, 11:04am

For anyone unsure how to do this, like I was , go here and enable it…

chrome://flags/#allow-insecure-localhost

tom_l · June 1, 2018, 11:23am

Hmm that’s not working for me because my HA instance is not on the PC I am browsing from.

I just click on “Advanced” on the warning page and then “proceed”. Chrome will remember until you clear your cache.

Argo · June 1, 2018, 1:09pm

I tried to open duckdns address and failed. Noting pops up. “ERR_CONNECTION_REFUSED”

Here are logs (repeats again and again):
“2018-06-01 16:06:30 ERROR (SyncWorker_8) [homeassistant.core] Error doing job: Task was destroyed but it is pending!”

Apparently, smth is wrong…

Bobby_Nobble · June 1, 2018, 4:42pm

Ah, my mistake. Perhaps you can explain further what you’re referring to then.

The way you’ve done it above only lasts five days, hence why a simple permanent solution would be nice.

Argo · June 1, 2018, 7:22pm

I tried to comment ssl (# ssl_certificate: /ssl/fullchain.pem; # ssl_key: /ssl/privkey.pem) and system is working as before. Maybe mistake is there?

Argo · June 2, 2018, 6:37am

Hey, should ssl be “ssl_certificate: /ssl/fullchain.pem”? Should not I get some unique number or smth? If yes, so where should I get it?

Argo · June 2, 2018, 7:03am

Found this on others config:

http:
  api_password: !secret http_password
  ssl_certificate: !secret http_certificate
  ssl_key: !secret http_key
  trusted_networks: !secret trusted_networks
  ip_ban_enabled: True
  login_attempts_threshold: 5

So where should I find secret http_certificate and _key?
I mean, I know it’s in secret.yaml, but I do not have key and certificate to put there

tom_l · June 2, 2018, 8:28am

Follow this to the letter.

Argo · June 2, 2018, 10:34am

Did everything again from the start.
Now HA continues working after reboot (with changes in config) from local IP
I see this in duckdns logs:

starting version 3.2.4
# INFO: Using main config file /data/workdir/config
+ Account already registered!
Sat Jun  2 13:06:37 MSK 2018: OK
37.147.100.200
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing ***.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Aug 31 08:53:08 2018 GMT (Longer than 30 days). Skipping renew!

Still can not get HA from https://***.duckdns.org

Tried https://***.duckdns.org:8123, but of course it didn’t work
Then tried bunch of varieties in configuration file (writing base_url with “https”, without, with “:8123” and without…)

The only thing that I did not like in your guid - restarting the system on the final step. There is no way to do it trough Hass.io, I had to restart the service from configurations

tom_l · June 2, 2018, 12:19pm

The way you restarted is fine. That guide was written for an old version of HA.

Lets check if your internet service provider uses CGNAT, which would be a problem. Log into your router and make a note of your WAN IP address. Go to your duckDNS setup page (where you copied the token from) and check what it thinks your WAN IP address is (listed under “current IP”). Do they match? If not, you need to speak to your ISP about getting a normal dynamic IPv4 address that is not CGNATed.

Assuming that the IP addresses did match the next thing to check is if your router supports NAT loopback. Can you access your HA frontend by visiting the yourdomain.duckDNS address from outside your local network. e.g. turn the wifi of your phone off and use your carrier’s data network rather than your home network to try to access the HA frontend (using the iOS app or a web browser) via duckDNS,

Argo · June 4, 2018, 4:08pm

Even in HA
If we are talking about this, so it matches.
I’ve already tried to connect trough my phone out of local network, I failed. Anyways, tried it one more time - nothing better. Is there another way to check NAT loopback?
Thank you for help anyways

tom_l · June 4, 2018, 10:09pm

Look up your router specifications.

Argo · June 7, 2018, 4:33pm

Here is my router config
seems like i do have, as I forwarded port there

Bobby_Nobble · June 7, 2018, 5:42pm

That’s got nothing to do with NAT loopback.

Argo · June 8, 2018, 5:30am

«ERR_SSL_PROTOCOL_ERROR»
Now chrome writes, that smth wrong is with safety. If this makes sense. Will read about NAT loopback later and try to make things work. If there is some advices - please write.

Argo · June 11, 2018, 7:03am

Unfortunately, here is no NAT loopback on my router… Is there any ways to make things work?
How I understand, if there is no nat loopback, I cant open HA from the local network. But I even cant open it from my phone which is out of local network