Dynamic DNS broken



  • I've been using a custom DuckDNS dynamic DNS entery for a few years, all been working fine. Recently I had trouble accessing my OpenVPN server on pfSense, when I logged into the Web GUI, it was because the cached IP address on the dynamic DNS was incorrect and red. I tried a save and update to manual force it, I restarted pfSense. Neither helped get it to go green again.

    Googled the problem turned on verbose logging, ran

    clog /var/log/system.log | grep -i dns
    

    and the result I got was

    Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS: updatedns() starting
    Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): ((IP removed)) extracted from local system.
    Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS (): running get_failover_interface for wan. found pppoe0
    Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): _update() starting.
    Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Sending request to: https://www.duckdns.org/update?domains=((removed))&token=((removed))&ip=((removed))
    Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Dynamic DNS custom (): _checkStatus() starting.
    Sep 10 19:19:17 pfSense php-fpm[40269]: /services_dyndns_edit.php: Curl error occurred: SSL certificate problem: unable to get local issuer certificate
    

    Further googling hasn't helped, any ideas on how to fix?


  • Rebel Alliance Global Moderator

    @jtjin said in Dynamic DNS broken:

    Curl error occurred: SSL certificate problem: unable to get local issuer certificate

    What version of pfsense are you using?



  • Latest Stable 2.4.X

    2.4.3_1 to be precise.


  • Rebel Alliance Global Moderator

    The way I am reading that it has problem with the ssl cert not being validated? Unless reading it wrong?


  • Rebel Alliance Global Moderator

    I just did a curl from pfsense with -v to see the details of the https

    curl -v https://www.duckdns.org

    • Rebuilt URL to: https://www.duckdns.org/
    • Trying 52.34.175.25...
    • TCP_NODELAY set
    • Connected to www.duckdns.org (52.34.175.25) port 443 (#0)
    • ALPN, offering h2
    • ALPN, offering http/1.1
    • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    • successfully set certificate verify locations:
    • CAfile: /usr/local/share/certs/ca-root-nss.crt
      CApath: none
    • TLSv1.2 (OUT), TLS header, Certificate Status (22):
    • TLSv1.2 (OUT), TLS handshake, Client hello (1):
    • TLSv1.2 (IN), TLS handshake, Server hello (2):
    • TLSv1.2 (IN), TLS handshake, Certificate (11):
    • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    • TLSv1.2 (IN), TLS handshake, Server finished (14):
    • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
    • TLSv1.2 (OUT), TLS handshake, Finished (20):
    • TLSv1.2 (IN), TLS change cipher, Client hello (1):
    • TLSv1.2 (IN), TLS handshake, Finished (20):
    • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    • ALPN, server accepted to use h2
    • Server certificate:
    • subject: OU=Domain Control Validated; CN=duckdns.org
    • start date: May 9 13:52:12 2018 GMT
    • expire date: Jul 8 12:46:00 2019 GMT
    • subjectAltName: host "www.duckdns.org" matched cert's "www.duckdns.org"
    • issuer: C=US; ST=Arizona; L=Scottsdale; O=Starfield Technologies, Inc.; OU=http://certs.starfieldtech.com/repository/; CN=Starfield Secure Certificate Authority - G2
    • SSL certificate verify ok.

    Can you try that from your pfsense box.



  • @johnpoz
    Mine has come out differently to yours:

      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.10.10.1...
    * TCP_NODELAY set
    * Connected to www.duckdns.org (10.10.10.1) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * successfully set certificate verify locations:
    *   CAfile: /usr/local/share/certs/ca-root-nss.crt
      CApath: none
    * TLSv1.2 (OUT), TLS header, Certificate Status (22):
    } [5 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    { [109 bytes data]
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    { [1403 bytes data]
    * TLSv1.2 (OUT), TLS alert, Server hello (2):
    } [2 bytes data]
    * SSL certificate problem: unable to get local issuer certificate
    * stopped the pause stream!
    
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
    * Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: https://curl.haxx.se/docs/sslcerts.html
    
    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.

  • Rebel Alliance Global Moderator

    @jtjin said in Dynamic DNS broken:

    Trying 10.10.10.1..

    Seems like pfblocker blocking that? 10.10.10.1 is the IP that pfblocker uses

    Sure never going to work if your resolving duckdns.org ro 10.10.10.1



  • @johnpoz Good spot, I will have a play around with pfBlocker and see if I can fix the problem that way.



  • @johnpoz Yep that was certainly the issue, when I turned off some of the easylists I had (relatively) recently enabled I could update it just fine! Thank you for your help