Unable to open <myhomeassistant>.duckdns.org site after configuring letsencrypt

Sridhar · August 28, 2018, 2:02pm

Need help in port forwarding.

Not able to access my homeassistant duck dns site after setting up port forwarding on my router. Whenever I type my site on browser it is taking me to router page.

Settings under NAT=> Virtual Server

Protocol :: TCP ( Tried same settings with UDP also)
External Port : 443
Internal Port : 8123

Installed ssl certificates via letsencrypt

Updated Configuration Yaml with letsencrypt file under http:

api_password: !secret http_password
ssl_certificate: /etc/letsencrypt/live/.duckdns.org/fullchain.pem
ssh_key: /etc/letsencrypt/live/.duckdns.org/privkey.pem
base_url: .duckdns.org

I am able to ping the .duckdns.org from Raspberry Pi

Need help in debugging port forwarding issue.

Without installing Letsencrypt earlier I was able to access .duckdns.org:8123 port from external network

Florian · August 28, 2018, 2:25pm

Why want you to change it then? SSL does not require the usage of port 443, you can still use 8123 if you want.

Sridhar · August 29, 2018, 12:07am

Thanks Florian for the reply.

I tried with 8123 port. After adding the certificates to Configuration.Yaml file I’m not able to access my duckdns from outside network.
ssl_certificate: /etc/letsencrypt/live/.duckdns.org/fullchain.pem
ssh_key: /etc/letsencrypt/live/.duckdns.org/privkey.pem

My Home Assistant is configured as Virtual Env on top of Raspbian.

Florian · August 29, 2018, 3:03pm

First make sure your custom duckdns url points to your current external IP.

If it does make sure you’ve configured your router to forward ext:8123 to <your_home_assistants_internal_host_ip>:8123 using tcp.

That should be enough to connect to your home assistant instance from the outside and don’t forget to use authentication before exposing your home assistant to the www

Sridhar · August 29, 2018, 3:53pm

How to check duckdns url points to my external IP or not?
As I mentioned earlier I’m able to access 8123 port from outside network
I followed the below link for letsencrypt. Issue is I’m not able access my duckdns link after adding the ssl keys to configuration.yaml. also I don’t see any error when I restart home assistant
Guide: How to set up DuckDNS, SSL, and Chrome Push Notifications

Need some steps to debug the issue.

Florian · August 29, 2018, 9:23pm

start with googling “my ip” from a computer that is connected to your router and google will tell you your routers public ip address.

try that address to access your home assistant instance from the outside e.g. by using your mobile phone.

lets assume google said your public ip address is 1.2.3.4 then you should try out the following addresses:
https://1.2.3.4:8123
http://1.2.3.4:8123
https://1.2.3.4:443
http://1.2.3.4:443
https://1.2.3.4:80
http://1.2.3.4:80

you may or may not get a security warning telling you that a certificate does not match the url. you can ignore that for the moment because you are trying to connect using the ip, not your duckdns address the let’s encrypt certificate was created for…

let us know the results.

Sridhar · August 30, 2018, 12:49am

Hi Florian,
Tried the way you suggested.
I’m able to connect to my home assistant with ->
http://1.2.3.4:443

Note: only after commenting out the below lines in configuration.yaml

#ssl_certificate: /etc/letsencrypt/live/.duckdns.org/fullchain.pem
#ssh_key: /etc/letsencrypt/live/.duckdns.org/privkey.pem
#base_url: .duckdns.org

I have tried after giving full permission to letsencrypt directory

drwxrwxrwx  9 root root    4096 Aug 29 06:08 letsencrypt
    drwxrwxrwx 5 root root 4096 Aug 19 15:27 renewal-hooks
    drwxrwxrwx 4 root root 4096 Aug 25 12:07 accounts
    drwxrwxrwx 4 root root 4096 Aug 28 18:06 live
    drwxrwxrwx 4 root root 4096 Aug 28 18:06 archive
   drwxrwxrwx 2 root root 4096 Aug 29 06:08 keys
   drwxrwxrwx 2 root root 4096 Aug 29 06:08 csr
   drwxrwxrwx 2 root root 4096 Aug 29 06:08 renewal

dCon0ne · August 30, 2018, 2:23am

One thing that I see, your Base URL is wrong, should be “your_domain.duckdns.org”.
A question for you, are you running Just the DuckDNS add-On? Or both??
I’m running just DuckDNS only, and this is what I have in my config.yaml

http:
  api_password: !secret ha_api_pwd
  base_url: !secret ha_base_url1
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 5

Sridhar · August 30, 2018, 4:24am

sorry mine is the way you mentioned.

my_domain.duckdns.org

Florian · August 30, 2018, 3:33pm

okay, so it will be port 443 once you got the certificate part working. I’d suggest you ask for help in the topic you’ve referenced as your guide. they might be able to help since I don’t create my certs that way.

Sridhar · August 30, 2018, 3:57pm

Thanks Florian,

Could you please tell me steps to debug further or some other method to create ssl certificate.

Sridhar · August 30, 2018, 4:32pm

In my hommeassistant.log file I can see below error
[homeassistant.config] Invalid config for [http]: [ssh_key] is an invalid option for [http]
Check: http->http->ssh_key. (See /home/homeassistant/.homeassistant/configuration.yaml, line 53). Please check the docs at https://home-assistant.io/components/http/

Florian · August 30, 2018, 4:38pm

it’s ssl_key (l, not h)

fix your config, re-enable ssl_certificate and ssl_key in your http config, restart home assistant and try to reconnect from the outside (https://your.duckdns.org).

Sridhar · August 30, 2018, 4:46pm

Figured out that. It was ssh_key modified it to ssl_key.

It is working now. Thanks Florian regular reply to my queries

Florian · August 30, 2018, 4:51pm

Glad to see that it is finally working

Sridhar · August 31, 2018, 1:47am

Now connection works fine with external network. But couldn’t access my home assistant within the same wifi network.

I’m able to open the page but it failed for authentication

Florian · August 31, 2018, 6:17am

That depends on how you want to access home assistant internally. Everything but your duckdns url will return a browser warning. This is because your certificate is bound to your duckdns url.

You can either ignore the warning when using https:\\<internal.hass.ip>:8123 or try to configure your router to forward your duckdns url to your internal hass ip.

luisrival · November 16, 2019, 12:33am

Hi!

someone can help me? In the new version of the Duckdns it says that only we have to change a false to true to enable ssl, I al ready do that and enable the port fordwarding from the public port 443 to the internal port 8123 and the ip of my raspberry, but I can´t connect with ssl, my browser says that is not secure

The log output of duckdns in home assistant is this:

# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
+ Done!
[18:30:21] INFO: OK
MY PUBLIC IP
NOCHANGE
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing MY-DOMAIN.duckdns.org
 + Creating new directory /data/letsencrypt/MY-DOMAIN.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for MY_DOMAIN.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for MY-DOMAIN.duckdns.org authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

luisrival · November 16, 2019, 12:44am

This say the browser when I try to access via https://MY-DOMAIN.duckdns.org:8123

This site can’t provide a secure connectionMY-DOMAIN.duckdns.org sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

And FireFox say the error: error: SSL_ERROR_RX_RECORD_TOO_LONG