It would be helpful if you could provide more information, as the error message you’ve posted is a handshake error that could have numerous sources as I understand it:
Are you running hassio / HomeAssistant? In what environment (docker, linux, , venv, windows,…)
Is the server behind a firewall? Is the client?
If a firewall is in the mix, is there MITM HTTPS inspection in use?
Are you testing from one client and one network only, or multiple clients and networks?
I never used the duckdns approach myself as I’m still refining our system. I just used VPN for remote access until the remote UI came online.
Something seems to be preventing your SSL handshake completion - I saw plenty of those errors when dealing with Fortigates’ ropey TLS 1.3 implementation on their firewalls for HTTPS inspection.
Assuming you are on the latest release (90.2) I’d personally try to disable / otherwise remove duckdns from the equation as part of troubleshooting. However without direct experience of duckdns I don’t know how tricky that is to do cleanly.
I guess that it is not one way or another and that you can have them both, but the cloud service is best used by people who do not want to expose their HA to the internet directly.
So, by using a cloud service they can access remotely their HA without having to open ports, arrange DNS and SSL certificates.
Extra you can connect the cloud directly with other online services, (eg. amazon alexa, google assistant etc.). This means you do not need to configure any of those in the HA, and by connecting to the cloud on a new HA installation it will get all those service up-n-running.
Even thought all the above are nice and easy; I personally am a little maniac with privacy & security, I have the time and the tech knowledge to setup them myself (everything’s very easy and well instructed in here, anyways) and I prefer to have the control of my data and connections, so I won’t use the cloud service yet.
Using a custom DNS (DuckDNS in your case) with SSL*(TLS)* configured correctly (LetsEncrypt in your case?), you have encrypted remote access to your HA with the data read only by you and your system.
Using the cloud it is not going to be possible to avoid MITM attacks (source).
In order to be able to connect you need:
An account
you MUST NOT use 127.0.0.1 nor ::1 as trusted_networks in your http: configuration.
you MUST NOT use ip_ban_enabled because the remote connection will be banned as a whole. This makes your exposed DuckDns more vulnerable to attacks.