Dynamic DNS broken
-
I've been using a custom DuckDNS dynamic DNS entery for a few years, all been working fine. Recently I had trouble accessing my OpenVPN server on pfSense, when I logged into the Web GUI, it was because the cached IP address on the dynamic DNS was incorrect and red. I tried a save and update to manual force it, I restarted pfSense. Neither helped get it to go green again.
Googled the problem turned on verbose logging, ran
clog /var/log/system.log | grep -i dns
and the result I got was
Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS: updatedns() starting Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): ((IP removed)) extracted from local system. Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS (): running get_failover_interface for wan. found pppoe0 Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): _update() starting. Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Sending request to: https://www.duckdns.org/update?domains=((removed))&token=((removed))&ip=((removed)) Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): _checkStatus() starting. Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Curl error occurred: SSL certificate problem: unable to get local issuer certificate
Further googling hasn't helped, any ideas on how to fix?
-
@jtjin said in Dynamic DNS broken:
Curl error occurred: SSL certificate problem: unable to get local issuer certificate
What version of pfsense are you using?
-
Latest Stable 2.4.X
2.4.3_1 to be precise.
-
The way I am reading that it has problem with the ssl cert not being validated? Unless reading it wrong?
-
I just did a curl from pfsense with -v to see the details of the https
curl -v https://www.duckdns.org
- Rebuilt URL to: https://www.duckdns.org/
- Trying 52.34.175.25...
- TCP_NODELAY set
- Connected to www.duckdns.org (52.34.175.25) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
- successfully set certificate verify locations:
- CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none - TLSv1.2 (OUT), TLS header, Certificate Status (22):
- TLSv1.2 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Client hello (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS change cipher, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
- ALPN, server accepted to use h2
- Server certificate:
- subject: OU=Domain Control Validated; CN=duckdns.org
- start date: May 9 13:52:12 2018 GMT
- expire date: Jul 8 12:46:00 2019 GMT
- subjectAltName: host "www.duckdns.org" matched cert's "www.duckdns.org"
- issuer: C=US; ST=Arizona; L=Scottsdale; O=Starfield Technologies, Inc.; OU=http://certs.starfieldtech.com/repository/; CN=Starfield Secure Certificate Authority - G2
- SSL certificate verify ok.
Can you try that from your pfsense box.
-
@johnpoz
Mine has come out differently to yours:% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.10.10.1... * TCP_NODELAY set * Connected to www.duckdns.org (10.10.10.1) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): } [5 bytes data] * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [109 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [1403 bytes data] * TLSv1.2 (OUT), TLS alert, Server hello (2): } [2 bytes data] * SSL certificate problem: unable to get local issuer certificate * stopped the pause stream! 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
-
@jtjin said in Dynamic DNS broken:
Trying 10.10.10.1..
Seems like pfblocker blocking that? 10.10.10.1 is the IP that pfblocker uses
Sure never going to work if your resolving duckdns.org ro 10.10.10.1
-
@johnpoz Good spot, I will have a play around with pfBlocker and see if I can fix the problem that way.
-
@johnpoz Yep that was certainly the issue, when I turned off some of the easylists I had (relatively) recently enabled I could update it just fine! Thank you for your help