Bug #12589
closedDynamic DNS updates do not respect certificate authority trust store
100%
Description
I use a "Custom" DDNS service to register my dynamic home IP address as a subdomain of my dedicated server domain (static IP address). I administer both ends of the DDNS system.
I created a local pfSense CA and then used it to sign a certificate that I then installed on my web server. The Trust Store option (Add this Certificate Authority to the Operating System Trust Store) in the pfSense CA entry is checked (yes). However, the DDNS update returns an error: "rc.dyndns.update: Curl error occurred: SSL certificate problem: unable to get local issuer certificate"
Investigating, I found my custom CA was added to the Trust Store (in /etc/ssl/certs/b1f33eb6.0
), but curl-config --ca
points elsewhere: /usr/local/share/certs/ca-root-nss.crt
I have a workaround by setting CURLOPT_CAPATH:
--- dyndns.class.old 2021-05-28 04:35:21.000000000 -0700
+++ dyndns.class 2021-12-13 15:01:34.967570000 -0800
@@ -946,6 +946,7 @@
}
if ($this->_curlSslVerifypeer) {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
+ curl_setopt($ch, CURLOPT_CAPATH, "/etc/ssl/certs/");
} else {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
}
However, I am not sure this workaround is a true fix, since I think this option completely changes the search path (rather than appending).
Updated by Viktor Gurov about 3 years ago
Updated by Jim Pingle about 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
- Target version set to 2.6.0
- Plus Target Version set to 22.01
Updated by Viktor Gurov about 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 7054b63fc56fec307577c978d10f88e552141e53.
Updated by Jim Pingle about 3 years ago
- Subject changed from DDNS service does not use local CA to Dynamic DNS updates do not respect certificate authority trust store
Updating subject for release notes.
Updated by Marcos M about 3 years ago
Do we know if the path is replaced rather than appended to? Is it an issue?
Updated by Viktor Gurov almost 3 years ago
Marcos Mendoza wrote in #note-5:
Do we know if the path is replaced rather than appended to? Is it an issue?
It's appended to the default /etc/ssl/cert.pem store (CURLOPT_CAINFO), and only for Custom/Custom (v6) providers