I have tried everything and read/watched every possible guide (even one in French) but I CANNOT get connected after setting up DuckDNS. I can connect locally using https, I can ping my url (crazycats.duckdns.org) but it absolutely will not connect. My . yaml file is configured correctly, I have the SSL certs in their proper folder and I have both ports 443 and 8123 forwarded on my router. Nothing. Page times out and/or I get a cannot connect error. I’m running hassio on a pi 3, using a Mac, my router is Eero. Is there anyone who can tell me why this isn’t working and help me fix it??
Can you post your configuration.yaml (at least the http setup)
Try a different external port, some ISP’s block (reserve) 443.
http:
base_url: “https://crazycats.duckdns.org:8123”
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
I can try that, but when I scan ports 80, 443 and 8123, they all show as open.
Did you set any port forwarding on your router?
Did you routed port 443 to 8123 or only opend 443 and 8123?
Forwarded both to 8123. My scans only show as open, but I assume that means forwarded as well. Is there a sordid test that clarifies?
Whats you DuckDNS configuration?
Yes, I do.
My config is EXACTLY as the online guide shows. I have installed and deleted it 5 times with different domain names and even logging in with different email addresses but nothing works. It has to be set up because I can ping the url.
Do you have a separate router and cable modem?
If so, you’ll likely need to forward ports on BOTH.
My modem doesn’t have a built in router. Not even sure how I’d forward ports on it.
You cable modem might not have built-in WiFi, but it’s likely still a router.
What ISP do you use?
CableOne. I’m using an ARRIS SURFboard SB6141 modem that I purchased.
Yeah, that looks to not have any routing or firewall stuff baked in.
Have you tried any alternate ports in your configuration? e.g., http://example.com:444 or https://example.com:444
You don’t have a port forwarding problem. I can open a connection to crazycats.duckdns.org on port 443 and 8123, but nothing answers from the other end. Just for clarity, this means that the application (Home Assistant) is accepting the connection, but it never actually transmits anything.
I’d suggest that you look at the log file and see if anything useful appears. Perhaps there’s a reverse DNS look-up that’s being attempted by Home Assistant that doesn’t succeed?
I’m not sure what more specific suggestions to offer, as I do my HTTPS/TLS session termination with nginx and proxy to port 8123 with plain HTTP to talk to Home Assistant. That is, I don’t really have any experience with the TLS stack in Home Assistant.
louie@kzin[28] $ curl -v https://crazycats.duckdns.org/foo
* Trying 24.117.204.199...
* TCP_NODELAY set
* Connected to crazycats.duckdns.org (24.117.204.199) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /opt/local/share/curl/curl-ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
^C
louie@kzin[29] $ openssl s_client -connect crazycats.duckdns.org:443 -debug
CONNECTED(00000003)
write to 0x7f9034f00bf0 [0x7f9036001e00] (308 bytes => 308 (0x134))
0000 - 16 03 01 01 2f 01 00 01-2b 03 03 88 b8 25 ee ca ..../...+....%..
0010 - 02 6a 7d 70 fb 30 51 c1-ec 38 de a0 03 4c d8 9c .j}p.0Q..8...L..
0020 - a1 45 00 c4 f1 05 b8 b0-0b 48 46 00 00 ac c0 30 .E.......HF....0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43 .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-00 07 c0 11 c0 07 c0 0c .<./...A........
00c0 - c0 02 00 05 00 04 c0 12-c0 08 00 16 00 13 00 10 ................
00d0 - 00 0d c0 0d c0 03 00 0a-00 ff 02 01 00 00 55 00 ..............U.
00e0 - 0b 00 04 03 00 01 02 00-0a 00 1c 00 1a 00 17 00 ................
00f0 - 19 00 1c 00 1b 00 18 00-1a 00 16 00 0e 00 0d 00 ................
0100 - 0b 00 0c 00 09 00 0a 00-23 00 00 00 0d 00 20 00 ........#..... .
0110 - 1e 06 01 06 02 06 03 05-01 05 02 05 03 04 01 04 ................
0120 - 02 04 03 03 01 03 02 03-03 02 01 02 02 02 03 00 ................
0130 - 0f 00 01 01 ....
^C
louie@kzin[30] $ openssl s_client -connect crazycats.duckdns.org:8123 -debug
CONNECTED(00000003)
write to 0x7f848003f4b0 [0x7f8480805a00] (308 bytes => 308 (0x134))
0000 - 16 03 01 01 2f 01 00 01-2b 03 03 60 e2 a8 99 2b ..../...+..`...+
0010 - 7b 92 7a 9c 38 73 ff cc-68 9e a1 9e 98 b6 a2 80 {.z.8s..h.......
0020 - f8 61 75 85 b9 86 8e ec-69 0a 21 00 00 ac c0 30 .au.....i.!....0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43 .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-00 07 c0 11 c0 07 c0 0c .<./...A........
00c0 - c0 02 00 05 00 04 c0 12-c0 08 00 16 00 13 00 10 ................
00d0 - 00 0d c0 0d c0 03 00 0a-00 ff 02 01 00 00 55 00 ..............U.
00e0 - 0b 00 04 03 00 01 02 00-0a 00 1c 00 1a 00 17 00 ................
00f0 - 19 00 1c 00 1b 00 18 00-1a 00 16 00 0e 00 0d 00 ................
0100 - 0b 00 0c 00 09 00 0a 00-23 00 00 00 0d 00 20 00 ........#..... .
0110 - 1e 06 01 06 02 06 03 05-01 05 02 05 03 04 01 04 ................
0120 - 02 04 03 03 01 03 02 03-03 02 01 02 02 02 03 00 ................
0130 - 0f 00 01 01 ....
^C
louie@kzin[31] $ openssl s_client -connect crazycats.duckdns.org:8124 -debug
connect: Connection refused
connect:errno=61
louie@kzin[32] $
Trying to connect to the wrong port yields an immediate TCP rest (“connectionr refused”).
I’m sure this is useful to someone, but it doesn’t help me:
Mon Jun 10 2019 18:49:56 GMT-0600 (Mountain Daylight Time)
Error doing job: SSL handshake failed
Traceback (most recent call last):
File “uvloop/sslproto.pyx”, line 500, in uvloop.loop.SSLProtocol._on_handshake_complete
File “uvloop/sslproto.pyx”, line 484, in uvloop.loop.SSLProtocol._do_handshake
File “/usr/local/lib/python3.7/ssl.py”, line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1056)
If you google search that error message, the first hit is https://github.com/home-assistant/home-assistant/issues/22625 . I’ve not read it in great detail, though there is one message https://github.com/home-assistant/home-assistant/issues/22625#issuecomment-485367459 that refers to an expired certificate?
An easy way to check is to do something like:
$ openssl x509 -text < /path/to/your/fullchain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:e7:75:97:da:c5:05:05:d5:26:66:42:cb:6e:56:6d:f6:46
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: May 23 01:53:31 2019 GMT
Not After : Aug 21 01:53:31 2019 GMT
Subject: CN = foo.dom.ain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ea:da:d1:6d:06:a9:8f:1f:30:6d:27:9d:c7:28:
c7:64:33:37:2b:ef:c0:d6:64:05:91:f5:97:ce:1d:
[...]
which will show you the valid dates for your certificate. Or your browser can usually be coaxed into showing you information about the certificate used by the site your visiting…