Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dynamic DNS broken

    Scheduled Pinned Locked Moved DHCP and DNS
    9 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jTJin
      last edited by

      I've been using a custom DuckDNS dynamic DNS entery for a few years, all been working fine. Recently I had trouble accessing my OpenVPN server on pfSense, when I logged into the Web GUI, it was because the cached IP address on the dynamic DNS was incorrect and red. I tried a save and update to manual force it, I restarted pfSense. Neither helped get it to go green again.

      Googled the problem turned on verbose logging, ran

      clog /var/log/system.log | grep -i dns
      

      and the result I got was

      Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS: updatedns() starting
      Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): ((IP removed)) extracted from local system.
      Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS (): running get_failover_interface for wan. found pppoe0
      Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): _update() starting.
      Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Sending request to: https://www.duckdns.org/update?domains=((removed))&token=((removed))&ip=((removed))
      Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): _checkStatus() starting.
      Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Curl error occurred: SSL certificate problem: unable to get local issuer certificate
      

      Further googling hasn't helped, any ideas on how to fix?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        @jtjin said in Dynamic DNS broken:

        Curl error occurred: SSL certificate problem: unable to get local issuer certificate

        What version of pfsense are you using?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          jTJin
          last edited by

          Latest Stable 2.4.X

          2.4.3_1 to be precise.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            The way I am reading that it has problem with the ssl cert not being validated? Unless reading it wrong?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              I just did a curl from pfsense with -v to see the details of the https

              curl -v https://www.duckdns.org

              • Rebuilt URL to: https://www.duckdns.org/
              • Trying 52.34.175.25...
              • TCP_NODELAY set
              • Connected to www.duckdns.org (52.34.175.25) port 443 (#0)
              • ALPN, offering h2
              • ALPN, offering http/1.1
              • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
              • successfully set certificate verify locations:
              • CAfile: /usr/local/share/certs/ca-root-nss.crt
                CApath: none
              • TLSv1.2 (OUT), TLS header, Certificate Status (22):
              • TLSv1.2 (OUT), TLS handshake, Client hello (1):
              • TLSv1.2 (IN), TLS handshake, Server hello (2):
              • TLSv1.2 (IN), TLS handshake, Certificate (11):
              • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
              • TLSv1.2 (IN), TLS handshake, Server finished (14):
              • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
              • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
              • TLSv1.2 (OUT), TLS handshake, Finished (20):
              • TLSv1.2 (IN), TLS change cipher, Client hello (1):
              • TLSv1.2 (IN), TLS handshake, Finished (20):
              • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
              • ALPN, server accepted to use h2
              • Server certificate:
              • subject: OU=Domain Control Validated; CN=duckdns.org
              • start date: May 9 13:52:12 2018 GMT
              • expire date: Jul 8 12:46:00 2019 GMT
              • subjectAltName: host "www.duckdns.org" matched cert's "www.duckdns.org"
              • issuer: C=US; ST=Arizona; L=Scottsdale; O=Starfield Technologies, Inc.; OU=http://certs.starfieldtech.com/repository/; CN=Starfield Secure Certificate Authority - G2
              • SSL certificate verify ok.

              Can you try that from your pfsense box.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              J 1 Reply Last reply Reply Quote 0
              • J
                jTJin @johnpoz
                last edited by

                @johnpoz
                Mine has come out differently to yours:

                  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                                 Dload  Upload   Total   Spent    Left  Speed
                
                  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.10.10.1...
                * TCP_NODELAY set
                * Connected to www.duckdns.org (10.10.10.1) port 443 (#0)
                * ALPN, offering h2
                * ALPN, offering http/1.1
                * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
                * successfully set certificate verify locations:
                *   CAfile: /usr/local/share/certs/ca-root-nss.crt
                  CApath: none
                * TLSv1.2 (OUT), TLS header, Certificate Status (22):
                } [5 bytes data]
                * TLSv1.2 (OUT), TLS handshake, Client hello (1):
                } [512 bytes data]
                * TLSv1.2 (IN), TLS handshake, Server hello (2):
                { [109 bytes data]
                * TLSv1.2 (IN), TLS handshake, Certificate (11):
                { [1403 bytes data]
                * TLSv1.2 (OUT), TLS alert, Server hello (2):
                } [2 bytes data]
                * SSL certificate problem: unable to get local issuer certificate
                * stopped the pause stream!
                
                  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
                * Closing connection 0
                curl: (60) SSL certificate problem: unable to get local issuer certificate
                More details here: https://curl.haxx.se/docs/sslcerts.html
                
                curl failed to verify the legitimacy of the server and therefore could not
                establish a secure connection to it. To learn more about this situation and
                how to fix it, please visit the web page mentioned above.
                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @jTJin
                  last edited by johnpoz

                  @jtjin said in Dynamic DNS broken:

                  Trying 10.10.10.1..

                  Seems like pfblocker blocking that? 10.10.10.1 is the IP that pfblocker uses

                  Sure never going to work if your resolving duckdns.org ro 10.10.10.1

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  J 2 Replies Last reply Reply Quote 0
                  • J
                    jTJin @johnpoz
                    last edited by

                    @johnpoz Good spot, I will have a play around with pfBlocker and see if I can fix the problem that way.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jTJin @johnpoz
                      last edited by

                      @johnpoz Yep that was certainly the issue, when I turned off some of the easylists I had (relatively) recently enabled I could update it just fine! Thank you for your help

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.