#after a while of searching there s very

You scrolled through that lot pretty damn fast.

At first glance I'd say no, but ...

It would be more useful if you'd tell us what your router make and model is

Thanks. You can pause the gif lol. xD I couldn't do it longer than 7s.

It's a Technicolor DGA0122

Looks like it's hit and miss with that brand

Options:

1. Don't do SSL directly in HA - move SSL to a proxy server and don't use SSL when at home
2. Replace the router
3. Set up a local DNS server on your network that resolves yourhost.example.org to the LAN IP

the problem with 1 is that then the app cannot connect locally (which is happens currently) because it seems the app really wants a certificate.

2 is not an option tbh. Not looking to spend on that.

And 3, https://homasistant.local doesn't count? Also can I set up that from HA?

"The app"?

What is "the app"?

HA app

the official one

whenever I add the local URL, it fails to connect

Then no, if you configure it correctly it's quite happy without SSL certificates involved

And it fails because (1)

You're doing SSL directly in HA, so, as with all things SSL, you have to use the hostname in the certificate to connect

If you connect by IP, or anything else, you get a verification failure

it failed before I had SSL too tbh, but maybe it was a diff reason

ok, I get it

It was for a different reason

what would you recommend? Option 1 then? Is it safe enough to not care about SSL at home?

Yes

so, now how do I go about using a proxy server for the SSL? Will do a quick search first, but tbh I'm not too familiar with anything proxy

You use HAOS?

yep

There's an NGINX Proxy Manager (NPM) #add-ons-archived

ok, I think I have managed. I installed the NGINX addon and set it up. I also replaced my manual duckdns in yaml for the addon itself and set it up (I don't know why last time it forced me to do it manually). It seems to work as I can connect using the duckdns URL.

Can I now delete the Letsencrypt addon? It's not even started and I just prefer to keep things clean.

Depends, do you have something else creating the certificates?

If you have the DuckDNS add-on doing it then sure

ok, didn't know DuckDNS itself did it.

It does, if you set it to do so

By default it won't

If you get it wrong then some time in the next 90 days you'll stop being able to remotely access HA

xD cool, yeah I can see it's not currently doing. Will check now these extra options for it to do it. I prefer 1 addon than 2

Not really sure what I'm missing. AFAIK from the doc from DuckDNS, enabling let's encrypt is setting the accept_terms to true. I did, but the log returns an error I don't understand.

Processing hassax.duckdns.org

• Creating new directory /data/letsencrypt/hassax.duckdns.org ...
• Signing domains...
• Generating private key...
• Generating signing request...
• Requesting new certificate order from CA...
• Received 1 authorizations URLs from the CA
• Handling authorization for hassax.duckdns.org
• 1 pending challenge(s)
• Deploying challenge tokens...
  OK + Responding to challenge for hassax.duckdns.org authorization...
• Challenge is valid!
• Cleaning challenge tokens...
  OK + Requesting certificate...
• ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/cert/03974da9aab24718f8080f4fad94fb600d3d (Status 400)
  Details:
  HTTP/2 400
  server: nginx
  date: Fri, 16 Dec 2022 17:21:05 GMT
  content-type: application/problem+json
  content-length: 173
  cache-control: public, max-age=0, no-cache
  link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
  replay-nonce: 371CvDmETwb1ZK0zSVWBBmFVLLT1rpVHca0M7i_k-KKZ72U

{
"type": "urn:ietf:params:acme:error:badNonce",
"detail": "JWS has an invalid anti-replay nonce: "20F6tzjQZMsNuvfJQnRwXtlHtlByvqHNVr2tvDkf677gJfg"",
"status": 400
}
/usr/bin/dehydrated: line 737: 1: unbound variable

#add-ons-archived can help with the add-ons

ok, will try to solve that later. Assuming nginx is running fine, which looks like it, how can I connect locally without SSL? Atm if I go into http it still doesn't connect.

sorry @proud mauve , but I struggle to understand what's happening.

Here's what I currently think, but ideally would like confirmation I'm right.

1. DuckDNS Add-on is creating a domain for me to access remotely, and with Let's Encrypt integrated, it's generating the certificate and renewing it.
2. NGINX does some magic to validate the SSL from a proxy server, allowing unsecured traffic from local.

Correct?

If so, everything is set up fine now, no errors. I'm just missing how to access locally from http, as currently doesn't connect.

Yes

At this point you should have no ssl_ entries in http: in configuration.yaml

correct. Just http with the trusted proxies

thanks for confirming. Then, how do I access locally unsecured?

maybe I need to reboot?

well. I rebooted. Https is not connecting now. Http is working fine. Nginx and DuckDNS are running fine though. No error in their logs.

Now for https you have to use the DuckDNS hostname (and port), and you need to be not on your wifi

ahh, so even if I use the DuckDNS while in WiFi it will still redirect me through local, hence WITHOUT SSL. And that's why it's failing https from my laptop.

What?

I think you're confused

If you use "DuckDNS" while on your WiFi, it never worked - that's where this all started...

no, it worked just fine, with https

now it works only with http, no with https

using DuckDNS hostname

what did you mean with this then? not on your wifi

Then you didn't set up SSL correct in NGINX

I have set up cloud access to my HA, also from the app, and it works flawless using Let's Encrypt + DuckDNS. However, I cannot access from the app if I try to add a local URL (it says certificate mismatch) and when accessing to https://homeassistant.local:8123/ from my laptop it works but SSL is not enabled either (which I guess it's what causes the app issue too).
This is where it all started, it sounded like your problem was that the hostname didn't work at home...

If it did work then your solution all along was to just use it

no. What it didn't work was the LOCAL hostname. https://homeassistant.local:8123

Right, because you're doing SSL in HA

So... don't use it

DuckDNS hostname worked flawless.

got it, but I think I tried. Anyway, we're not there anymore.

rn both DuckDNS and local hostname work, but only http. Not https.

You need to configure NGINX to use the SSL certificate

hmm, I'd swear it's configured...

This is its yaml.

domain: hassax.duckdns.org
hsts: max-age=31536000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
active: false
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf

and the log looks all good without errors. The SSL files are in the SSL folder too.

The only custom thing in my configuration.yaml is this:

http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24

tbh, as much as I'm checking, everything looks good following the NGINX instructions. :S

#add-ons-archived can probably help, I don't use the add-on, I've no idea how you configure it

ok, many thanks for all the help. You're always there mate.

oh, one more thing. Do I need to keep port 80 open to the internet in my router for the SSL? Or can I remove that?

I assume 8123 needs to stay forwarded for remote access.