Remote Access using a FritzBox & the AVM myFritz DDNS Service

Info because i had this Problem and wanna remember me :sweat_smile:.

When you have a myfritz or/and a dyndns setup directly on the Fritzbox, a portforwarding via z.b. nginx Proxy manager will always ends on the Fritzbox Login Page until you removed them and Update the dyndns via a other Maschine or homeassistent Integration (duckdns addon). IPV6 doesnt support NAT.

Edit: On the duckdns you can maybe only Update the ipv4 Adresse:
Update-URL:
IP v4 only:
https://www.duckdns.org/update?domains=&token=&ip=
IP v6 only:
https://www.duckdns.org/update?domains=&token=&ipv6=
IP v4 + v6:
https://www.duckdns.org/update?domains=&token=&ip=&ipv6=

I don’t understand how this relates to my original post. If you follow my steps above it should work. Did you use the correct Nginx add-on?

Yes I was just reading too fast.

Hi There,
I’m stack already on II. Certificates !

  1. I setup my fritzbox with port 8001

  2. installed Let’s Encrypt add-on

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[10:29:39] INFO: Selected DNS Provider: null
[10:29:39] INFO: Use propagation seconds: 60
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
> certbot: error: unrecognized arguments: --null --null-credentials /data/dnsapikey
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

Anyone who can help me with the error message:

certbot: error: unrecognized arguments: --null --null-credentials /data/dnsapikey

:slight_smile:

Did you configure Port forwarding for port 80? See step II.4.

I can’t get it to work. I’m not sure whether it has something to do with my FritzBox or HA settings. Will share my settings so hopefully others can profit as well.

Step I 1 to 3: worked fine.

Step I 4: Can’t ping xxxxxxxxx.myfritz. net with my phone (mobile data). Also tried https:// xxxxxxxxx.myfritz. net:63465 without luck. Under Internet → MyFRITZ!-Konto I checked “MyFRITZ! für diese FRITZ!Box aktiv“, „Internetzugriff auf die FRITZ!Box über HTTPS aktiviert“ and „Zertifikat von letsencrypt.org verwenden (empfohlen)“.

Step II 4: Port forwarding for HTTP is set to port 80 internal and external. For HTTPS I can not set the external port to 8123 and it automatically sets it to 443 (default). Anyway, it should work with just HTTP being set.

Step II 5: I get the following log in Let’s Encrypt:

[12:51:12] INFO: Selected http verification
[12:51:12] INFO: Detecting existing certificate type for xxxxxxxxx.myfritz. net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[12:51:15] INFO: No certificate found - using ‘ecdsa’ key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for xxxxxxxxx.myfritz. net

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: xxxxxxxxx.myfritz. net
Type: connection
Detail: 2a02:9x8:f00x:fx::1279: Fetching http:// xxxxxxxxx.myfritz. net/.well-known/acme-challenge/A5LiWJEMIT1sr9DocoOGSNVBgAwP6kkfW9Z_UVuEirQ: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

FRITZ!Box 6591 Cable is the router I use.

What am I doing wrong? Has it soemthing to do with IPv6? Do I need Dual Stack?

Does your cable internet Provider give you a public ip4 address? Check this first. If not you might be able to request one from your Provider.

Second you do not need to enable https access to your router unless you need it for some other purpose.

Hello everyone, and thank you for your very useful advice. Regarding this procedure, I always have the problem that I cannot get Let´s Encrypt to produce a certificate. I have followed the guide scrupulously step by step but nothing, I get stuck at Step 2. I´ve tried Port 80 and Port 8001 too.
Please help me!

Let´s Encrypt Log:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: t6ufraaabum04ol.myfritz.net
Type: connection
Detail: 2001:9e8:20a:585:3a0:d5ff:fed:5033: Fetching http://t6ufraaabum04ol.myfritz.net/.well-known/acme-challenge/EMA5pe09ijDQQRX4qz2K1D0sW3PrnE4TdlRD8CfBUkE: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Let´s Encrypt YAML

domains:

Screenshot 2024-04-10 085146

Question: why is there no IP address shown in the second screenshot? Did you remove it or is it empty?
Second, please remove keytype: rsa from the Let’s Encrypt configuration. This has recently changed in the add-on. I will update the instructions above to reflect that.

BTW: Is t6ufraakaum04ol.myfritz.net your real domain name? If yes, it’s not a good idea to make it public. Use a fake domain instead.

EDIT: Let’s Encrypt add-on config update done.

yes, I deleted the IP of my Home Assistant

OK I will remove the keytype line, thanks for the advice

myfritz address is not true, I have modified it.

I removed the line you told me, the result has changed but always don´t work.

[00:06:39] INFO: Selected http verification
[00:06:40] INFO: Detecting existing certificate type for xxxxxxxxxxxxxxx.myfritz.net:28247
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[00:06:41] INFO: No certificate found - using ‘ecdsa’ key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

That means certificate creation does not work. This is usually the case when the add-on is not reachable from the internet. Either port forwarding or DDNS is not working or you are using DS-Lite. Which type of Internet connection do you have? DSL, cable, fiber?

I have a DSL connection. Ping with my Smartphone in 4G works, but I don´t understand why I can´t get a certificate from Let´s Encrypt…

Where does port 28247 come from?

the Fritzbox automatically allocates it when I activate the myfritzbox account

It looks like the Domain Name configured in the let’s encrypt add-on includes this Port. But the yaml you posted above does not. Can you please Check. Post your yaml again but use the quote format for the text.
Which DSL Provider are you using?

My Provider is 1&1. Sorry but what do you mean with “quote format for the text”? Thank you

Please first Check if 1&1 provided you with Ds-lite. If yes, you do not have a public Ip4 address. If this is the case you can ask them to provide you with full DS. With Ds-lite you cannot use IP4 port forward.

1 Like

Okay, I’ll check it out. :+1:

So I talked to the 1&1 service department and they told me that I have a Full DS.
I am attaching 2 screenshots to see if I am screwing something up in the settings. Thanks for the help