SSL not working after IP change

I’ve been pulling my hair out the past couple of hours, as far as that is still possible. I need a hand, regarding a network connectivity after my cable modem has been set into bridge mode.

Here’s my config

  • Home Assistant running in a Docker container on a Raspberry Pi 4
  • Connected to a Mikrotik Routerboard RB2011
  • DuckDNS domain
  • Letsencrypt SSL on the host of the Raspberry Pi
  • Certificate Expiry integration is installed in HomeAssistant
  • My Mikrotik router refreshes the IP address at DuckDNS by means of a script

Here’s what happened
Everything was working fine until:

  • I switched my cable modem into bridge mode
  • This resulted in a change in external IP address
  • No longer a a dual NAT situation. My router now holds the external IP address

Status

  • The HA app on my mobile phone no longer connects
  • On the local network, connecting to xxx.duckdns.org fails
  • Connecting to https://<hass.local>:8123 works, but with an error that the connection is not secure
  • The sensor sensor.cert_expiry_timestamp_xxx_duckdns_org shows ‘unavailable’

Here is what I did so far, that led to no results

  • Patience is a virtue, so I waited a bit for DNS servers to propagate the new IP address
  • Checked my IP address in the router. It was in line with what DuckDNS was expecting
  • Rebooted router, Pi and HomeAssistant in various order
  • Cleared the cache on the phone, the laptop and in the router
  • Specifically flushed the DNS cache in the router
  • Forced renewal of the SSL certificates
  • Upgraded to the latest HomeAssistant

Here’s what I did to debug

  • Removed the SSL entries (ssl_certificate and ssl_key) in configuration.yaml to check if unsecured access works. It did, so the routes in the router are OK. I can connect to http://xxx.duckdns.org:8123. The routes to port 443 are similarly setup as to port 8123.
  • Set the log level to debug, but no needle in the haystack

So my guess is that something is very much wrong with the secure connection, but I cannot figure out what it is. Somewhere in the back of my mind it says that it might be something obvious, but like I said: no hair left to pull out. :slight_smile:

Any clues? Thanks a million!

Well, this is key. Did you check why? Wrong certificate?

Because the certificate is not for hass.local

It will unless your router supports nat foldback (aka nat loopback).

tl;dr You need to get xxx.duckdns.org to resolve to the local IP address of your hass instance.

Thanks for thinking along, Nick.
I understand that for a local connection, the certificate is not valid. That was just to make sure that I had a website up and running and responding to requests.

My router supports NAT loopback (hairpin).

As said, I suppose al my router connections are working correctly. Last night I disabled SSL in configuration.yaml and that works fine when connecting to port 8123. The problems seems to be in the certificate.

Thanks @nickrout and @koying for thinking with me. I found the problem. The Homeassistant webserver does not serve out the secure connection on port 443, but on 8123. The modem that I used was actually a router and when I switched that into bridge mode, it also lost all its port forwards.

My other router also does port forwarding (and NAT translation), but the mapping from 443 to 8123 was already done in the cable modem / router. So when that one was removed, the secure connection got lost.