Using DuckDNS when Synology NAS is already using LetsEncrypt

Hi there,

I have my Synology NAS using LetsEncrypt and a custom port along with 443 pointing to the internal IP of the NAS. I’m using a Synology DDNS doamin for this connection. This works great remotely.

I also have a Pi3 and today I added the DuckDNS add-on to Hass.io and registered a new domain with DuckDNS. I have port forwarded a custom external port on my router to 8123 and the internal IP of the Pi3. This seems to work fine as the certificate was issued when configuring the DuckDNS add-on.

When I add the config below though, not only do I lose access to the front-end internally, it is not accessible externally either. Should this just ‘work’ or do I need something like a reverse proxy as in this method Using Let's encrypt certificate of Synology NAS

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "0ccxxdbd-xxxx-49c4-afde-xxxxxxx7ecdf",
  "domains": [
    "mydomain.duckdns.org"
  ],
  "seconds": 300
}


starting version 3.2.4
# INFO: Using main config file /data/workdir/config
+ Account already registered!
Thu Mar  8 13:54:09 NZDT 2018: OK
118.92.146.21
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing mydomain.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jun  5 21:56:34 2018 GMT (Longer than 30 days). Skipping renew!

http:
  # Secrets are defined in the file secrets.yaml
  base_url: https://mydomain.duckdns.org:myport
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  api_password: !secret http_password
  trusted_networks:
    - 127.0.0.1
    - 10.0.1.0/24
  ip_ban_enabled: True
  login_attempts_threshold: 5

It’s not immediately obvious why you would use a duckdns if your network already has an external IP address??? You might need to use the LetsEncrypt addon though on your Pi.

Your trusted networks will also not work - those are internal IP addresses and I bet you’re locked out. You will need to delete the banned IP file in config and delete the trusted networks as well.

Thanks for the feedback. Although I have an external (synology) domain, the certificates issued for this domain are on-board the NAS not accessible by the Pi3.

I’ve taken a different tack and used the reverse proxy on the Synology to route https traffic on a dedicated port to http://pi3ipaddress:8123. This leverages the Synology certificate on that Synology domain and allows connection to the front page of hass.io but alas, it won’t let me login. I had to add a forwarding rule for that dedicated port to the NAS IP to allow the reverse proxy to work.

I’ve removed the trusted_networks now too although that caused a problem with my Node Red HA add-on as it was always connected on localhost so 127.0.0.1 got banned.

I’m nearly there now but don’t know why I cant login when accessing hass.io from my external address and dedicated port even though the route is working.

here’s my config - did you remove the trusted section altogether?

http:
  # Uncomment this to add a password (recommended!)
    api_password: !secret http_password
    ssl_certificate: !secret ssl_cert_lets
    ssl_key: !secret ssl_key_lets
    ip_ban_enabled: True
    login_attempts_threshold: 5
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
    base_url: !secret base_url_name

This way if you use an invalid API key you get locked out after 5 attempts. I think you’ll never have a local IP address logging in? Or is your redirect passing through the API key?

Not quite sure what you mean here. With my reverse proxy on the Synology NAS, I’m forwarding requests from https://mysynologydomain.me:9678 to http://pi3ipaddress:8123. A port forwarding rule in the NAS forwards port 9678 to the local NAS which I had to do to allow the proxy to work. So in theory, the Pi3 is seeing a local request for access as the request is coming in from the local IP and port?

I have no idea.
If I was doing this I’d be using mysynologydomain:8123 and forwarding 8123 to the Pi and using letsencrypt addon in hassio to get a certificate on the pi.
If you’re not seeing the frontend the way you are doing it there’s obviously something wrong. Hopefully someone here will be able to help…

This is al I have now in HTTP.

http:
  # Secrets are defined in the file secrets.yaml
  api_password: !secret http_password
  ip_ban_enabled: True
  login_attempts_threshold: 5

Thanks. I am seeing the front end, just won’t let me login and nothing is added to the ip_ban.yaml.

so when you see the frontend, you enter the API and nothing happens?
Is it HTTPS? that might be the problem if there’s no ssl on the Pi?

ah you removed ssl and the base url?

The reverse proxy is routing a HTTPS request to a HTTP request so the Pi3 is seeing a request on http://pi3ipaddress:8123. There is no certificate on-board the Pi and the ha config has not been told that either.

So I get this remotely:

Then this:

You will need to fix the reverse proxy config.

Thank you but that’s a bit beyond me. I’m using the native reverse proxy in the Synology NAS so reconfiguring that would be a real challenge (at least for me).

So why not use nginx reverse proxy? Is there something wrong with getting your hands dirty and learning? :wink:

1 Like

Is that the hass.io add-on?

No, you can install it on your Synology. NGINX has nothing to do with hassio.

Thanks. With my blog and YouTube channel, I like to talk about how to do things that are super easy for Noobs to understand so I often give things a crack to see if there is an easy way of doing something. Configuring NGINX goes beyond that so I really appreciate your help but I’ll leave it at that.

Have you looked at this thread? Using Let's encrypt certificate of Synology NAS

I hand you a complete configuration for nginx and you say it’s too hard to configure?

What? You have to figure out how to install it? I don’t understand…

Thanks but the purpose for learning this is so I can blog about it for others that are starting out. Although I’m sure I could get it working, it’ll be in the too hard bin for most of my audience. I’ve also recently seen this Synology DSM – Reverse Proxy (Part 2) – Primal Cortex's Weblog that may be related to why the native proxy in Synology can work with the HA front-end? Would it be possible to modify the HTTP section to allow CORS from the proxy redirect?

Hi xbmcnut, I don’t know if you are still interested, but i’ve recently came across a solution to your problem. You need to add a websocket in the “custom heathers” section, just when you are creating the entry for the reverse proxy. Take a look to this link.

https://www.home-assistant.io/docs/ecosystem/synology/

Hope it helps!