External Access Nightmare - ISP Blocked Ports, DuckDNS, Letsencrypt

I’ve been trying for over a week to get external access to my Nextcloudpi server. It took several days, multiple re-installs, ifconfig/dhcpcd/dhclient/iwconfig/.conf/letsencrypt rabbit holes and a call to my ISP tech support to find out that they have in fact blocked ports 80 and 443. It took so long because for some reason, as long as I was on my wifi, my phones could connect successfully through my duckdns subdomain. They would lose access when I left the house.
I’ve successfully received a SSL certificate for my duckdns subdomain, as well as another domain I own that just points to the duckdns one, and I have my router forwarding 40443 -> 443 and 4080 -> 80. Both show open, according to yougetsignal. If I use nmap, it shows there is access through 40443 to my router.
BUT if I put the duckdns domain, with the port into the android app, or try to connect through the mobile browser, I get a “SSL initialization failed” from the app (or no connection at all) and “this site cant be reached” from a mobile browser.

I’ve also tried changing the apache port settings in 3 different files to match the external ports, and adjusted the port forwarding to match. That didn’t help either.

I’ve also tried with my own domain, pointing directly at my router through an A record and have the same problem.

Can someone explain what the heck is going on?

If you’re accessing your domain over port 40443/tcp which is redirected to port 443/tcp on your internet router, the general routing seems to work, except that you couldn’t access two different devices on the same port.

Disable your internet router access on port 443/tcp and make sure that you’ve set-up a port forwarding for that port on your router to your Nextcloud server.

Im not sure I understand what you are saying about the domain port. The router in my house is listening on port 40443 and redirecting it internally to the NextcloudPi on port 443.

NextCloud 40443 443 192.168.1.XX
NextCloud1 4080 80 192.168.1.XX

Ah ok, I understood that your you would see the web interface of your router if you access your domain using a web browser. I think in your case there are only two possible solutions left, because you cannot use the default “http-01” protocol (80/tcp) or the secure protocol “tls-apln-01” (443/tcp) to let Let’s Encyrpt verify your certificate.

  1. If you have full control over your DNS record and can automatically set a TXT record, you would be able to use the “dns-01” protocol (no inbound port required) for the verification process. Afaik, most DNS providers doesn’t allow to set such a record and additionally the setup is a little bit more complicated.

  2. You fetch your Let’s Encrypt certificate manually every 2-3 month and copy it to your server.

sudo certbot -d MYDOMAIN.duckdns.org --manual --preferred-challenges dns certonly

This is the command I used, and it does successfully generate me a certificate, which is confusing (because of my SSL issues).
Getting it setup had involved doing the duckdns method of adding a TXT record, which is through a custom web address. I also changed a TXT record on my other domain and successfully registered a certificate that way, but its not setup in my Pi to accept that domain.
Even without a SSL certificate, shouldnt I still be able to access my NextcloudPi server through the android app, but just without the extra security?

Thanks for the help so far.

Ok, so I wiped the installation and started over and switched from duckdns to the domain name that I own (and can edit TXT records, etc) cloud.mydomain.online.
Certbot grabbed the certification successfully, and DNSmasq is successfully routing my local computers to the NextCloudPi using the domain with the external port of 2443 (which is forwarded to 443 internally on the NCP). ie cloud.mydomain.online:2443
Signal up and Nmap show the port is open, but I still cant connect the android app, or from a browser from my phone when it is not on the same wifi.
Ive triple checked everything according to this guide and can’t figure out what the problem is yet.

What am I missing?

I assume that you’re using the official dns name of your server to access it over the wifi as over the internet, right? Due to the fact that your mentioning DNSmasq I assume that you use it locally to overwrite the internet dns resolution so that a local ip address is returned?
Have you double-checked that your mobile phone uses the local DNS for the name resolution and that a LAN ip address is correctly resolved instead of the internet ip address?

I’m using the cloudfare DNS in DNSmasq, because it didn’t look like I have Natloopback on my router.
If I run nmap on my desktop I get the public IP:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-01 09:26 MST
Nmap scan report for cloud.MYDOMAIN.online (199.XXX.XXX.XX)
Host is up (0.00067s latency).
rDNS record for 199.XXX.XXX.XX: ip-199-XXX-XXX-XX.MYISP.net
2443/tcp open powerclientcsf
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

When I run nmap on my android phone (on and off wifi), I get the same results.

If I SSH into the NCP and run the same nmap command, it comes back with the local IP for the NCP and says that 2443 is closed.

Hopefully this is useful to you, I’m really lost here.