Dynamic DNS broken

jTJin

I've been using a custom DuckDNS dynamic DNS entery for a few years, all been working fine. Recently I had trouble accessing my OpenVPN server on pfSense, when I logged into the Web GUI, it was because the cached IP address on the dynamic DNS was incorrect and red. I tried a save and update to manual force it, I restarted pfSense. Neither helped get it to go green again.

Googled the problem turned on verbose logging, ran

clog /var/log/system.log | grep -i dns

and the result I got was

Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS: updatedns() starting
Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): ((IP removed)) extracted from local system.
Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS (): running get_failover_interface for wan. found pppoe0
Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): _update() starting.
Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Sending request to: https://www.duckdns.org/update?domains=((removed))&token=((removed))&ip=((removed))
Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): _checkStatus() starting.
Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Curl error occurred: SSL certificate problem: unable to get local issuer certificate

Further googling hasn't helped, any ideas on how to fix?

johnpoz

@jtjin said in Dynamic DNS broken:

Curl error occurred: SSL certificate problem: unable to get local issuer certificate

What version of pfsense are you using?

jTJin

Latest Stable 2.4.X

2.4.3_1 to be precise.

johnpoz

The way I am reading that it has problem with the ssl cert not being validated? Unless reading it wrong?

johnpoz

I just did a curl from pfsense with -v to see the details of the https

curl -v https://www.duckdns.org

• Rebuilt URL to: https://www.duckdns.org/
• Trying 52.34.175.25...
• TCP_NODELAY set
• Connected to www.duckdns.org (52.34.175.25) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
• successfully set certificate verify locations:
• CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
• TLSv1.2 (OUT), TLS header, Certificate Status (22):
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Client hello (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS change cipher, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
• ALPN, server accepted to use h2
• Server certificate:
• subject: OU=Domain Control Validated; CN=duckdns.org
• start date: May 9 13:52:12 2018 GMT
• expire date: Jul 8 12:46:00 2019 GMT
• subjectAltName: host "www.duckdns.org" matched cert's "www.duckdns.org"
• issuer: C=US; ST=Arizona; L=Scottsdale; O=Starfield Technologies, Inc.; OU=http://certs.starfieldtech.com/repository/; CN=Starfield Secure Certificate Authority - G2
• SSL certificate verify ok.

Can you try that from your pfsense box.

jTJin

@johnpoz
Mine has come out differently to yours:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.10.10.1...
* TCP_NODELAY set
* Connected to www.duckdns.org (10.10.10.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [109 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1403 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

johnpoz

@jtjin said in Dynamic DNS broken:

Trying 10.10.10.1..

Seems like pfblocker blocking that? 10.10.10.1 is the IP that pfblocker uses

Sure never going to work if your resolving duckdns.org ro 10.10.10.1

jTJin

@johnpoz Good spot, I will have a play around with pfBlocker and see if I can fix the problem that way.

jTJin

@johnpoz Yep that was certainly the issue, when I turned off some of the easylists I had (relatively) recently enabled I could update it just fine! Thank you for your help